CVE Catalog

CVE-2026-57438

MediumCVSS 6.6
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.09%

1th percentile — higher than 1% of all known CVEs

Summary

Vulnerability in the Nokogiri library (versions prior to 1.19.4) for the Ruby language. During XInclude processing, <xi:include> nodes along with children and namespaces are freed, but if the application previously exposed them to Ruby, Ruby objects point to freed memory, which can lead to invalid reads or writes.

Risk Assessment

The risk involves potential memory corruption, which could result in application crashes, data leaks, or potential code execution by an attacker.

Recommendation

It is recommended to immediately update the Nokogiri library to version 1.19.4 or later.

Original NVD description (English source)

Nokogiri is an open source XML and HTML library for the Ruby programming language. Prior to 1.19.4, XInclude substitution performed by Nokogiri::XML::Node#do_xinclude replaced each <xi:include> in place, freeing the include node along with its children (such as <xi:fallback> and its descendants) and any namespaces declared on them. If an application had already exposed one of those nodes or namespaces to Ruby, the corresponding Ruby object was left pointing at freed memory. Using the object could result in invalid reads or writes to memory. This vulnerability is fixed in 1.19.4.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS