CVE Catalog

CVE-2026-57234

LowCVSS 2.6
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.17%

6th percentile — higher than 6% of all known CVEs

Summary

Vulnerability in the Nokogiri library for Ruby involves incorrect enforcement of the NONET parse option in the JRuby implementation. This option, enabled by default for Nokogiri::XML::Schema (per CVE-2020-26247), did not prevent fetching external resources over the network during schema parsing, potentially enabling SSRF or XXE attacks. The issue is fixed in version 1.19.4.

Risk Assessment

The organization is at risk of unauthorized access to internal network resources (SSRF) or external XML entity injection (XXE), which could lead to data leakage or system integrity compromise.

Recommendation

Immediately update the Nokogiri library to version 1.19.4 or later, especially in environments using JRuby. As a workaround, manually enforce the NONET option when parsing XML schemas.

Original NVD description (English source)

Nokogiri is an open source XML and HTML library for the Ruby programming language. Prior to 1.19.4, the NONET parse option, which Nokogiri turns on by default for Nokogiri::XML::Schema (see CVE-2020-26247), was not correctly enforced on the JRuby implementation. As a result, a schema parsed with default options could still cause external resources to be fetched over the network, potentially enabling SSRF or XXE attacks. This vulnerability is fixed in 1.19.4.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS