DEBIAN-CVE-2020-26247

Advisory lineage Upstream: 1 Downstream: 2

Upstream

CVE-2020-26247

Downstream

DLA-2678-1 DLA-3149-1

Published: 30 Dec 2020, 19:15

Last modified:28 Apr 2026, 20:19

Vulnerability Summary

Overall Risk (default)

low

17/100

CVSS Score

4.3 MEDIUM

3.1 (osv_debian)

EPSS Score

No data

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

30 Dec 2020, 19:15

Published

Vulnerability first disclosed

28 Apr 2026, 20:19

Last Modified

Vulnerability information updated

Description

Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. In Nokogiri before version 1.11.0.rc4 there is an XXE vulnerability. XML Schemas parsed by Nokogiri::XML::Schema are trusted by default, allowing external resources to be accessed over the network, potentially enabling XXE or SSRF attacks. This behavior is counter to the security policy followed by Nokogiri maintainers, which is to treat all input as untrusted by default whenever possible. This is fixed in Nokogiri version 1.11.0.rc4.

CVSS Metrics

v3.1•MEDIUM•Score: 4.3CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Affected Systems

debian•ruby-nokogiri
< 1.11.1+dfsg-1 | < 1.11.1+dfsg-1 | < 1.11.1+dfsg-1 | < 1.11.1+dfsg-1

References (1)

https://security-tracker.debian.org/tracker/CVE-2020-26247