Vulnerability-Lookup

CVE-2026-34060 (GCVE-0-2026-34060)

Vulnerability from cvelistv5 – Published: 2026-03-31 01:59 – Updated: 2026-04-02 14:51

Title

Ruby LSP has arbitrary code execution through branch setting

Summary

Ruby LSP is an implementation of the language server protocol for Ruby. Prior to Shopify.ruby-lsp version 0.10.2 and ruby-lsp version 0.26.9, the rubyLsp.branch VS Code workspace setting was interpolated without sanitization into a generated Gemfile, allowing arbitrary Ruby code execution when a user opens a project containing a malicious .vscode/settings.json. This issue has been patched in Shopify.ruby-lsp version 0.10.2 and ruby-lsp version 0.26.9.

Severity ?

7.1 (High)


                        
                          CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE

CWE-94 - Improper Control of Generation of Code ('Code Injection')

Assigner

GitHub_M

References

URL

Tags

	https://github.com/Shopify/ruby-lsp/security/advi…	x_refsource_CONFIRM
	https://github.com/Shopify/ruby-lsp/releases/tag/…	x_refsource_MISC

Impacted products

Vendor

Product

Version

Shopify

ruby-lsp

Affected: < 0.26.9

Shopify

Shopify.ruby-lsp

Affected: < 0.10.2

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 9.8,
              "baseSeverity": "CRITICAL",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-34060",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-02T14:51:08.644486Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-02T14:51:58.711Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "ruby-lsp",
          "vendor": "Shopify",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 0.26.9"
            }
          ]
        },
        {
          "product": "Shopify.ruby-lsp",
          "vendor": "Shopify",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 0.10.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Ruby LSP is an implementation of the language server protocol for Ruby. Prior to Shopify.ruby-lsp version 0.10.2 and ruby-lsp version 0.26.9, the rubyLsp.branch VS Code workspace setting was interpolated without sanitization into a generated Gemfile, allowing arbitrary Ruby code execution when a user opens a project containing a malicious .vscode/settings.json. This issue has been patched in Shopify.ruby-lsp version 0.10.2 and ruby-lsp version 0.26.9."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "LOCAL",
            "baseScore": 7.1,
            "baseSeverity": "HIGH",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "ACTIVE",
            "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-94",
              "description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-31T01:59:51.170Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/Shopify/ruby-lsp/security/advisories/GHSA-c4r5-fxqw-vh93",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/Shopify/ruby-lsp/security/advisories/GHSA-c4r5-fxqw-vh93"
        },
        {
          "name": "https://github.com/Shopify/ruby-lsp/releases/tag/v0.26.9",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/Shopify/ruby-lsp/releases/tag/v0.26.9"
        }
      ],
      "source": {
        "advisory": "GHSA-c4r5-fxqw-vh93",
        "discovery": "UNKNOWN"
      },
      "title": "Ruby LSP has arbitrary code execution through branch setting"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-34060",
    "datePublished": "2026-03-31T01:59:51.170Z",
    "dateReserved": "2026-03-25T16:21:40.866Z",
    "dateUpdated": "2026-04-02T14:51:58.711Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-34060\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-03-31T03:15:58.773\",\"lastModified\":\"2026-04-02T15:16:41.003\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Ruby LSP is an implementation of the language server protocol for Ruby. Prior to Shopify.ruby-lsp version 0.10.2 and ruby-lsp version 0.26.9, the rubyLsp.branch VS Code workspace setting was interpolated without sanitization into a generated Gemfile, allowing arbitrary Ruby code execution when a user opens a project containing a malicious .vscode/settings.json. This issue has been patched in Shopify.ruby-lsp version 0.10.2 and ruby-lsp version 0.26.9.\"},{\"lang\":\"es\",\"value\":\"Ruby LSP es una implementaci\u00f3n del protocolo del servidor de lenguaje para Ruby. Antes de Shopify.ruby-lsp versi\u00f3n 0.10.2 y ruby-lsp versi\u00f3n 0.26.9, la configuraci\u00f3n del espacio de trabajo de VS Code rubyLsp.branch se interpolaba sin sanitizaci\u00f3n en un Gemfile generado, permitiendo la ejecuci\u00f3n arbitraria de c\u00f3digo Ruby cuando un usuario abre un proyecto que contiene un archivo .vscode/settings.json malicioso. Este problema ha sido parcheado en Shopify.ruby-lsp versi\u00f3n 0.10.2 y ruby-lsp versi\u00f3n 0.26.9.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":7.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"PRESENT\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"ACTIVE\",\"vulnConfidentialityImpact\":\"HIGH\",\"vulnIntegrityImpact\":\"HIGH\",\"vulnAvailabilityImpact\":\"HIGH\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-94\"}]}],\"references\":[{\"url\":\"https://github.com/Shopify/ruby-lsp/releases/tag/v0.26.9\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/Shopify/ruby-lsp/security/advisories/GHSA-c4r5-fxqw-vh93\",\"source\":\"security-advisories@github.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 9.8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-34060\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-04-02T14:51:08.644486Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-04-02T14:51:50.959Z\"}}], \"cna\": {\"title\": \"Ruby LSP has arbitrary code execution through branch setting\", \"source\": {\"advisory\": \"GHSA-c4r5-fxqw-vh93\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 7.1, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N\", \"userInteraction\": \"ACTIVE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"PRESENT\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"HIGH\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"HIGH\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"Shopify\", \"product\": \"ruby-lsp\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 0.26.9\"}]}, {\"vendor\": \"Shopify\", \"product\": \"Shopify.ruby-lsp\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 0.10.2\"}]}], \"references\": [{\"url\": \"https://github.com/Shopify/ruby-lsp/security/advisories/GHSA-c4r5-fxqw-vh93\", \"name\": \"https://github.com/Shopify/ruby-lsp/security/advisories/GHSA-c4r5-fxqw-vh93\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/Shopify/ruby-lsp/releases/tag/v0.26.9\", \"name\": \"https://github.com/Shopify/ruby-lsp/releases/tag/v0.26.9\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Ruby LSP is an implementation of the language server protocol for Ruby. Prior to Shopify.ruby-lsp version 0.10.2 and ruby-lsp version 0.26.9, the rubyLsp.branch VS Code workspace setting was interpolated without sanitization into a generated Gemfile, allowing arbitrary Ruby code execution when a user opens a project containing a malicious .vscode/settings.json. This issue has been patched in Shopify.ruby-lsp version 0.10.2 and ruby-lsp version 0.26.9.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-94\", \"description\": \"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-03-31T01:59:51.170Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-34060\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-04-02T14:51:58.711Z\", \"dateReserved\": \"2026-03-25T16:21:40.866Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-03-31T01:59:51.170Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

GHSA-C4R5-FXQW-VH93

Vulnerability from github – Published: 2026-03-27 19:43 – Updated: 2026-03-31 18:41

Summary

Ruby LSP has arbitrary code execution through branch setting

Details

Summary

The rubyLsp.branch VS Code workspace setting was interpolated without sanitization into a generated Gemfile, allowing arbitrary Ruby code execution when a user opens a project containing a malicious .vscode/settings.json.

Other editors that support workspace setting that get automatically applied upon opening the editor and trusting the workspace are also impacted since the server is the component that performs the interpolation.

Details

The branch CLI argument passed to the ruby-lsp server was interpolated in the generated .ruby-lsp/Gemfile without sanitization. Editors that allow defining settings saved at the workspace level (e.g.: .vscode/settings.json) that gets automatically applied open the possibility to craft a malicious repository that once opened and trusted in the editor would run arbitrary code.

Impact

Code execution with the privileges of the user who opens the malicious project. Ruby LSP assumes workspace code is trusted and so opening the editor on an untrusted workspace can lead to executing potentially dangerous code.

Remediation

The rubyLsp.branch setting has been removed entirely. VS Code extensions auto-update by default, so most users will receive the fix without action. Users who have disabled auto-updates should update to extension version >= 0.10.2.

The branch CLI flag was also entirely removed from the ruby-lsp gem. For users that don't add ruby-lsp to their Gemfiles, the server should auto-update. Users with the ruby-lsp in the Gemfile and locked to a specific version should update to >= 0.26.9.

Severity ?

7.1 (High)


                  
                    CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "ruby-lsp"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.26.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-34060"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-94"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-27T19:43:14Z",
    "nvd_published_at": "2026-03-31T03:15:58Z",
    "severity": "HIGH"
  },
  "details": "**Summary**\n\nThe `rubyLsp.branch` VS Code workspace setting was interpolated without sanitization into a generated Gemfile, allowing arbitrary Ruby code execution when a user opens a project containing a malicious `.vscode/settings.json`.\n\nOther editors that support workspace setting that get automatically applied upon opening the editor and trusting the workspace are also impacted since the server is the component that performs the interpolation.\n\n**Details**\n\nThe `branch` CLI argument passed to the `ruby-lsp` server was interpolated in the generated `.ruby-lsp/Gemfile` without sanitization. Editors that allow defining settings saved at the workspace level (e.g.: `.vscode/settings.json`) that gets automatically applied open the possibility to craft a malicious repository that once opened and trusted in the editor would run arbitrary code.\n\n**Impact**\n\nCode execution with the privileges of the user who opens the malicious project. Ruby LSP assumes workspace code is trusted and so opening the editor on an untrusted workspace can lead to executing potentially dangerous code.\n\n**Remediation**\n\nThe `rubyLsp.branch` setting has been removed entirely. VS Code extensions auto-update by default, so most users will receive the fix without action. Users who have disabled auto-updates should update to extension version \u003e= 0.10.2.\n\nThe `branch` CLI flag was also entirely removed from the `ruby-lsp` gem. For users that don\u0027t add `ruby-lsp` to their Gemfiles, the server should auto-update. Users with the `ruby-lsp` in the Gemfile and locked to a specific version should update to \u003e= 0.26.9.",
  "id": "GHSA-c4r5-fxqw-vh93",
  "modified": "2026-03-31T18:41:33Z",
  "published": "2026-03-27T19:43:14Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/Shopify/ruby-lsp/security/advisories/GHSA-c4r5-fxqw-vh93"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34060"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Shopify/ruby-lsp"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Shopify/ruby-lsp/releases/tag/v0.26.9"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/ruby-lsp/CVE-2026-34060.yml"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Ruby LSP has arbitrary code execution through branch setting"
}

FKIE_CVE-2026-34060

Vulnerability from fkie_nvd - Published: 2026-03-31 03:15 - Updated: 2026-04-02 15:16

Severity ?

9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/Shopify/ruby-lsp/releases/tag/v0.26.9
	security-advisories@github.com	https://github.com/Shopify/ruby-lsp/security/advisories/GHSA-c4r5-fxqw-vh93

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Ruby LSP is an implementation of the language server protocol for Ruby. Prior to Shopify.ruby-lsp version 0.10.2 and ruby-lsp version 0.26.9, the rubyLsp.branch VS Code workspace setting was interpolated without sanitization into a generated Gemfile, allowing arbitrary Ruby code execution when a user opens a project containing a malicious .vscode/settings.json. This issue has been patched in Shopify.ruby-lsp version 0.10.2 and ruby-lsp version 0.26.9."
    },
    {
      "lang": "es",
      "value": "Ruby LSP es una implementaci\u00f3n del protocolo del servidor de lenguaje para Ruby. Antes de Shopify.ruby-lsp versi\u00f3n 0.10.2 y ruby-lsp versi\u00f3n 0.26.9, la configuraci\u00f3n del espacio de trabajo de VS Code rubyLsp.branch se interpolaba sin sanitizaci\u00f3n en un Gemfile generado, permitiendo la ejecuci\u00f3n arbitraria de c\u00f3digo Ruby cuando un usuario abre un proyecto que contiene un archivo .vscode/settings.json malicioso. Este problema ha sido parcheado en Shopify.ruby-lsp versi\u00f3n 0.10.2 y ruby-lsp versi\u00f3n 0.26.9."
    }
  ],
  "id": "CVE-2026-34060",
  "lastModified": "2026-04-02T15:16:41.003",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ],
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "PRESENT",
          "attackVector": "LOCAL",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 7.1,
          "baseSeverity": "HIGH",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "NONE",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "NONE",
          "subIntegrityImpact": "NONE",
          "userInteraction": "ACTIVE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "HIGH",
          "vulnConfidentialityImpact": "HIGH",
          "vulnIntegrityImpact": "HIGH",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-03-31T03:15:58.773",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/Shopify/ruby-lsp/releases/tag/v0.26.9"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/Shopify/ruby-lsp/security/advisories/GHSA-c4r5-fxqw-vh93"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-94"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-34060 (GCVE-0-2026-34060)

GHSA-C4R5-FXQW-VH93

FKIE_CVE-2026-34060

Tags

Sightings

Nomenclature