[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"repo-stars":3,"vuln-CVE-2019-16255":6},{"stargazers_count":4,"fetched_at":5},7,"2026-06-05T02:55:30.529Z",{"id":7,"descriptions":8,"cisa":9,"weaknesses":10,"exploits":62,"aliases":72,"duplicate_of":9,"upstream":73,"downstream":74,"duplicates":117,"related":118,"reserved_at":9,"published_at":124,"modified_at":125,"state":126,"summary":127,"references_raw":135,"kevs":203,"epss":204,"epss_history":207,"metrics":468,"affected":479},"CVE-2019-16255","Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allows code injection if the first argument (aka the \"command\" argument) to Shell#[] or Shell#test in lib/shell.rb is untrusted data. An attacker can exploit this to call an arbitrary Ruby method.",null,[11],{"_key":12,"id":12,"name":13,"description":14,"type":15,"status":16,"abstraction":17,"likelihood_of_exploit":18,"capec":19},"CWE-94","Improper Control of Generation of Code ('Code Injection')","The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.","weakness","Draft","Base","Medium",[20,24,58],{"id":21,"name":22,"techniques":23},"CAPEC-242","Code Injection",[],{"id":25,"name":26,"techniques":27},"CAPEC-35","Leverage Executable Code in Non-Executable Files",[28,39,46],{"id":29,"name":30,"tactics":31,"countermeasures":38},"T1027.006","HTML Smuggling",[32,35],{"id":33,"name":34},"TA0030","Defense Evasion",{"id":36,"name":37},"TA0005","Stealth",[],{"id":40,"name":41,"tactics":42,"countermeasures":45},"T1027.009","Embedded Payloads",[43,44],{"id":33,"name":34},{"id":36,"name":37},[],{"id":47,"name":48,"tactics":49,"countermeasures":52},"T1564.009","Resource Forking",[50,51],{"id":33,"name":34},{"id":36,"name":37},[53],{"id":54,"name":55,"tactic":56},"D3-FFV","File Format Verification",{"name":57},"Isolate",{"id":59,"name":60,"techniques":61},"CAPEC-77","Manipulating User-Controlled Variables",[],[63],{"_key":64,"name":65,"source":66,"url":67,"maturity":68,"reliability_score":69,"verified":70,"type":9,"platforms":71,"requires_auth":9,"exploitdb":9,"metasploit":9},"REF_C19DC841840F58D6","Exploit Reference (hackerone.com)","reference","https://hackerone.com/reports/327512","unknown",0.2,false,[],[],[],[75,77,79,81,83,85,87,89,91,93,95,97,99,101,103,105,107,109,111,113,115],{"_key":76},"ALPINE-CVE-2019-16255",{"_key":78},"SUSE-SU-2020:0737-1",{"_key":80},"SUSE-SU-2020:1570-1",{"_key":82},"OPENSUSE-SU-2020:0395-1",{"_key":84},"DLA-2007-1",{"_key":86},"DLA-2027-1",{"_key":88},"DLA-2330-1",{"_key":90},"DLA-3408-1",{"_key":92},"DSA-4586-1",{"_key":94},"DSA-4587-1",{"_key":96},"MGASA-2019-0408",{"_key":98},"MGASA-2020-0440",{"_key":100},"USN-4201-1",{"_key":102},"DEBIAN-CVE-2019-16255",{"_key":104},"RHSA-2021:2104",{"_key":106},"RHSA-2021:2230",{"_key":108},"RHSA-2021:2587",{"_key":110},"RHSA-2021:2588",{"_key":112},"RHSA-2022:0581",{"_key":114},"RHSA-2022:0582",{"_key":116},"UBUNTU-CVE-2019-16255",[],[119,120,121,122,123],{"_key":78},{"_key":80},{"_key":82},{"_key":96},{"_key":98},"2019-11-26T00:00:00.000Z","2024-08-05T01:10:41.667Z","Modified",{"cisa_kev":70,"cisa_ransomware":70,"cisa_vendor":9,"epss_severity":128,"epss_score":129,"severity":130,"severity_score":131,"severity_version":132,"severity_source":133,"severity_vector":134,"severity_status":126},"low",0.01157,"high",8.1,"v3.1","nvd","CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",[136,143,148,153,157,161,166,170,175,179,183,187,191,195,199],{"url":67,"sources":137,"tags":139},[138,133],"cve.org",[140,141,142],"Exploit","Patch","Third Party Advisory",{"url":144,"sources":145,"tags":146},"https://lists.debian.org/debian-lts-announce/2019/11/msg00025.html",[138,133],[147,142],"Mailing List",{"url":149,"sources":150,"tags":151},"https://www.ruby-lang.org/ja/news/2019/10/01/ruby-2-6-5-released/",[138,133],[152],"Release Notes",{"url":154,"sources":155,"tags":156},"https://www.ruby-lang.org/ja/news/2019/10/01/ruby-2-5-7-released/",[138,133],[152],{"url":158,"sources":159,"tags":160},"https://www.ruby-lang.org/ja/news/2019/10/01/ruby-2-4-8-released/",[138,133],[152],{"url":162,"sources":163,"tags":164},"https://www.ruby-lang.org/ja/news/2019/10/01/code-injection-shell-test-cve-2019-16255/",[138,133],[165],"Vendor Advisory",{"url":167,"sources":168,"tags":169},"https://lists.debian.org/debian-lts-announce/2019/12/msg00009.html",[138,133],[147,142],{"url":171,"sources":172,"tags":173},"https://seclists.org/bugtraq/2019/Dec/31",[138,133],[147,174,142],"Broken Link",{"url":176,"sources":177,"tags":178},"https://seclists.org/bugtraq/2019/Dec/32",[138,133],[147,174,142],{"url":180,"sources":181,"tags":182},"https://www.debian.org/security/2019/dsa-4587",[138,133],[165,142],{"url":184,"sources":185,"tags":186},"https://www.oracle.com/security-alerts/cpujan2020.html",[138,133],[141,142],{"url":188,"sources":189,"tags":190},"https://security.gentoo.org/glsa/202003-06",[138,133],[165,142],{"url":192,"sources":193,"tags":194},"http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00041.html",[138,133],[165,142],{"url":196,"sources":197,"tags":198},"https://lists.debian.org/debian-lts-announce/2020/08/msg00027.html",[138,133],[147,142],{"url":200,"sources":201,"tags":202},"https://lists.debian.org/debian-lts-announce/2023/04/msg00033.html",[138,133],[147],[],{"date":205,"score":129,"percentile":206},"2026-06-04",0.78909,[208,212,215,218,221,224,227,230,232,235,238,241,244,246,249,253,256,259,262,265,268,271,274,277,279,282,285,287,290,293,295,298,301,304,307,310,313,316,319,322,325,328,330,333,336,339,342,345,347,350,353,356,359,362,366,369,372,375,378,381,384,387,389,392,394,397,400,403,406,409,412,414,416,419,422,425,428,431,434,437,440,443,446,449,452,455,457,460,463,465],{"date":209,"score":210,"percentile":211},"2025-11-04",0.01267,0.78788,{"date":213,"score":210,"percentile":214},"2025-11-05",0.78785,{"date":216,"score":210,"percentile":217},"2025-11-06",0.78781,{"date":219,"score":210,"percentile":220},"2025-11-07",0.78793,{"date":222,"score":210,"percentile":223},"2025-11-08",0.788,{"date":225,"score":210,"percentile":226},"2025-11-09",0.78794,{"date":228,"score":210,"percentile":229},"2025-11-10",0.78782,{"date":231,"score":210,"percentile":214},"2025-11-11",{"date":233,"score":210,"percentile":234},"2025-11-12",0.78801,{"date":236,"score":210,"percentile":237},"2025-11-13",0.7881,{"date":239,"score":210,"percentile":240},"2025-11-14",0.78818,{"date":242,"score":210,"percentile":243},"2025-11-15",0.78816,{"date":245,"score":210,"percentile":240},"2025-11-16",{"date":247,"score":210,"percentile":248},"2025-11-17",0.78811,{"date":250,"score":251,"percentile":252},"2025-11-18",0.06692,0.90323,{"date":254,"score":251,"percentile":255},"2025-11-19",0.90328,{"date":257,"score":251,"percentile":258},"2025-11-20",0.90331,{"date":260,"score":210,"percentile":261},"2025-11-21",0.78839,{"date":263,"score":210,"percentile":264},"2025-11-22",0.7884,{"date":266,"score":210,"percentile":267},"2025-11-23",0.7883,{"date":269,"score":210,"percentile":270},"2025-11-24",0.78827,{"date":272,"score":210,"percentile":273},"2025-11-25",0.78833,{"date":275,"score":210,"percentile":276},"2025-11-26",0.78836,{"date":278,"score":210,"percentile":264},"2025-11-27",{"date":280,"score":210,"percentile":281},"2025-11-28",0.78832,{"date":283,"score":210,"percentile":284},"2025-11-29",0.78837,{"date":286,"score":210,"percentile":284},"2025-11-30",{"date":288,"score":210,"percentile":289},"2025-12-01",0.78928,{"date":291,"score":210,"percentile":292},"2025-12-02",0.7893,{"date":294,"score":210,"percentile":289},"2025-12-03",{"date":296,"score":210,"percentile":297},"2025-12-04",0.78834,{"date":299,"score":210,"percentile":300},"2025-12-05",0.78841,{"date":302,"score":210,"percentile":303},"2025-12-06",0.78844,{"date":305,"score":210,"percentile":306},"2025-12-07",0.78845,{"date":308,"score":210,"percentile":309},"2025-12-08",0.78849,{"date":311,"score":210,"percentile":312},"2025-12-09",0.78867,{"date":314,"score":210,"percentile":315},"2025-12-10",0.78889,{"date":317,"score":210,"percentile":318},"2025-12-11",0.78904,{"date":320,"score":210,"percentile":321},"2025-12-12",0.78924,{"date":323,"score":210,"percentile":324},"2025-12-13",0.78925,{"date":326,"score":210,"percentile":327},"2025-12-14",0.78922,{"date":329,"score":210,"percentile":327},"2025-12-15",{"date":331,"score":210,"percentile":332},"2025-12-16",0.78933,{"date":334,"score":210,"percentile":335},"2025-12-17",0.78941,{"date":337,"score":210,"percentile":338},"2025-12-18",0.7896,{"date":340,"score":210,"percentile":341},"2025-12-19",0.78971,{"date":343,"score":210,"percentile":344},"2025-12-20",0.78966,{"date":346,"score":210,"percentile":338},"2025-12-21",{"date":348,"score":210,"percentile":349},"2025-12-22",0.78962,{"date":351,"score":210,"percentile":352},"2025-12-23",0.78963,{"date":354,"score":210,"percentile":355},"2025-12-24",0.78978,{"date":357,"score":210,"percentile":358},"2025-12-25",0.78997,{"date":360,"score":210,"percentile":361},"2025-12-26",0.78995,{"date":363,"score":364,"percentile":365},"2025-12-27",0.01584,0.81199,{"date":367,"score":210,"percentile":368},"2025-12-28",0.78984,{"date":370,"score":210,"percentile":371},"2025-12-29",0.78979,{"date":373,"score":210,"percentile":374},"2025-12-30",0.78986,{"date":376,"score":210,"percentile":377},"2025-12-31",0.79003,{"date":379,"score":210,"percentile":380},"2026-01-01",0.79099,{"date":382,"score":210,"percentile":383},"2026-01-02",0.79098,{"date":385,"score":210,"percentile":386},"2026-01-03",0.79093,{"date":388,"score":210,"percentile":361},"2026-01-04",{"date":390,"score":210,"percentile":391},"2026-01-05",0.7899,{"date":393,"score":210,"percentile":358},"2026-01-06",{"date":395,"score":210,"percentile":396},"2026-01-07",0.79005,{"date":398,"score":210,"percentile":399},"2026-01-08",0.79015,{"date":401,"score":210,"percentile":402},"2026-01-09",0.79018,{"date":404,"score":210,"percentile":405},"2026-01-10",0.7902,{"date":407,"score":210,"percentile":408},"2026-01-11",0.79012,{"date":410,"score":210,"percentile":411},"2026-01-12",0.79001,{"date":413,"score":210,"percentile":358},"2026-01-13",{"date":415,"score":210,"percentile":402},"2026-01-14",{"date":417,"score":210,"percentile":418},"2026-01-15",0.79019,{"date":420,"score":210,"percentile":421},"2026-01-16",0.79025,{"date":423,"score":210,"percentile":424},"2026-01-17",0.79033,{"date":426,"score":210,"percentile":427},"2026-01-18",0.7903,{"date":429,"score":210,"percentile":430},"2026-01-19",0.79022,{"date":432,"score":210,"percentile":433},"2026-01-20",0.79021,{"date":435,"score":210,"percentile":436},"2026-01-21",0.79026,{"date":438,"score":210,"percentile":439},"2026-01-22",0.79037,{"date":441,"score":210,"percentile":442},"2026-01-23",0.79064,{"date":444,"score":210,"percentile":445},"2026-01-24",0.79074,{"date":447,"score":210,"percentile":448},"2026-01-25",0.79067,{"date":450,"score":210,"percentile":451},"2026-01-26",0.79063,{"date":453,"score":210,"percentile":454},"2026-01-27",0.79062,{"date":456,"score":210,"percentile":451},"2026-01-28",{"date":458,"score":210,"percentile":459},"2026-01-29",0.79057,{"date":461,"score":210,"percentile":462},"2026-01-30",0.7906,{"date":464,"score":210,"percentile":442},"2026-01-31",{"date":466,"score":210,"percentile":467},"2026-02-01",0.7916,[469],{"source":133,"cvss_v2_0":470,"cvss_v3_0":9,"cvss_v3_1":475,"cvss_v4_0":9},{"baseScore":471,"baseSeverity":9,"vectorString":472,"impactScore":473,"exploitabilityScore":474},6.8,"AV:N/AC:M/Au:N/C:P/I:P/A:P",6.4,8.6,{"baseScore":131,"baseSeverity":476,"vectorString":134,"impactScore":477,"exploitabilityScore":478},"HIGH",9.8,5.6,[480,491,497,504],{"ecosystem":9,"name":481,"vendor":482,"product":483,"cpe_part":484,"purl_type":9,"purl_namespace":9,"purl_name":9,"source":9,"versions":485},"debian linux","debian","debian_linux","o",[486,489],{"version":487,"is_range":70,"range_type":488,"version_start":9,"version_start_type":9,"version_end":9,"version_end_type":9,"fixed_in":9},"8.0","cpe",{"version":490,"is_range":70,"range_type":488,"version_start":9,"version_start_type":9,"version_end":9,"version_end_type":9,"fixed_in":9},"9.0",{"ecosystem":9,"name":492,"vendor":493,"product":492,"cpe_part":484,"purl_type":9,"purl_namespace":9,"purl_name":9,"source":9,"versions":494},"leap","opensuse",[495],{"version":496,"is_range":70,"range_type":488,"version_start":9,"version_start_type":9,"version_end":9,"version_end_type":9,"fixed_in":9},"15.1",{"ecosystem":9,"name":498,"vendor":499,"product":498,"cpe_part":500,"purl_type":9,"purl_namespace":9,"purl_name":9,"source":9,"versions":501},"graalvm","oracle","a",[502],{"version":503,"is_range":70,"range_type":488,"version_start":9,"version_start_type":9,"version_end":9,"version_end_type":9,"fixed_in":9},"19.3.0.2",{"ecosystem":9,"name":505,"vendor":506,"product":505,"cpe_part":500,"purl_type":9,"purl_namespace":9,"purl_name":9,"source":9,"versions":507},"ruby","ruby-lang",[508,514,518],{"version":509,"is_range":510,"range_type":488,"version_start":511,"version_start_type":512,"version_end":513,"version_end_type":512,"fixed_in":9},"gte2.4.0_lte2.4.7",true,"2.4.0","including","2.4.7",{"version":515,"is_range":510,"range_type":488,"version_start":516,"version_start_type":512,"version_end":517,"version_end_type":512,"fixed_in":9},"gte2.5.0_lte2.5.6","2.5.0","2.5.6",{"version":519,"is_range":510,"range_type":488,"version_start":520,"version_start_type":512,"version_end":521,"version_end_type":512,"fixed_in":9},"gte2.6.0_lte2.6.4","2.6.0","2.6.4"]