Two vulnerabilities in Rack, a modular Ruby webserver interface, require immediate patching: CVE-2026-22860 (CVSS 7.5 HIGH) is a path traversal flaw allowing sensitive information disclosure, and CVE-2026-25500 (CVSS 5.4 MEDIUM) is an input sanitization issue enabling arbitrary code execution. The affected versions are Rack versions prior to 2.2.22, versions 3.0.0 through 3.1.19, and versions 3.2.0 through 3.2.4. The fixed versions are 2.2.22, 3.1.20, and 3.2.5, which are available via standard system updates for the listed Ubuntu releases.
Ubuntu Security Notices USN-8066-1 USN-8066-1: Rack vulnerabilities Publication date 26 February 2026 Overview Several security issues were fixed in Rack. Releases 25.10 24.04 LTS 22.04 LTS 20.04 LTS Open side navigation Close side navigation Packages Details Update instructions References Packages ruby-rack - modular Ruby webserver interface Details Minh Pham Quang discovered that Rack did not correctly handle parsing certain paths, which could lead to a path traversal attack. An attacker could possibly use this issue to leak sensitive information. ( CVE-2026-22860 ) Ali Firas discovered that Rack did not correctly sanitize certain inputs. An attacker could possibly use this issue to execute arbitrary code. ( CVE-2026-25500 ) Minh Pham Quang discovered that Rack did not correctly handle parsing certain paths, which could lead to a path traversal attack. An attacker could possibly use this issue to leak sensitive information. ( CVE-2026-22860 ) Ali Firas discovered that Rack did not correctly sanitize certain inputs. An attacker could possibly use this issue to execute arbitrary code. ( CVE-2026-25500 ) Update instructions In general, a standard system update will make all the necessary changes. Learn more about how to get the fixes. The problem can be corrected by updating your system to the following package versions: Ubuntu Release Package Version 25.10 questing ruby-rack – 3.1.16-0.1ubuntu0.2 24.04 LTS noble ruby-rack – 2.2.7-1ubuntu0.6 22.04 LTS jammy ruby-rack – 2.1.4-5ubuntu1.2+esm2 Ubuntu Pro Fix available with Ubuntu Pro via ESM Apps. A community fix might become publicly available in the future. 20.04 LTS focal ruby-rack – 2.0.7-2ubuntu0.1+esm9 Ubuntu Pro Fix available with Ubuntu Pro via ESM Apps. A community fix might become publicly available in the future. Reduce your security exposure Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines. Get Ubuntu Pro References CVE-2026-25500 CVE-2026-22860 CVE-2026-25500 CVE-2026-22860