CVE-2026-57234

NameCVE-2026-57234
DescriptionNokogiri is an open source XML and HTML library for the Ruby programming language. Prior to 1.19.4, the NONET parse option, which Nokogiri turns on by default for Nokogiri::XML::Schema (see CVE-2020-26247), was not correctly enforced on the JRuby implementation. As a result, a schema parsed with default options could still cause external resources to be fetched over the network, potentially enabling SSRF or XXE attacks. This vulnerability is fixed in 1.19.4.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1140769

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
ruby-nokogiri (PTS)bullseye1.11.1+dfsg-2vulnerable
bullseye (security)1.11.1+dfsg-2+deb11u1vulnerable
bookworm1.13.10+dfsg-2vulnerable
trixie1.18.2+dfsg-1vulnerable
forky1.19.1+dfsg-1vulnerable
sid1.19.3+dfsg-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
ruby-nokogirisource(unstable)(unfixed)1140769

Notes

https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-8678-w3jw-xfc2
Search for package or bug name: Reporting problems