CVE-2026-57438
MediumCVSS 6.6Exploitation Probability (EPSS)
Low risk1th percentile — higher than 1% of all known CVEs
Summary
Vulnerability in the Nokogiri library (versions prior to 1.19.4) for the Ruby language. During XInclude processing, <xi:include> nodes along with children and namespaces are freed, but if the application previously exposed them to Ruby, Ruby objects point to freed memory, which can lead to invalid reads or writes.
Risk Assessment
The risk involves potential memory corruption, which could result in application crashes, data leaks, or potential code execution by an attacker.
Recommendation
It is recommended to immediately update the Nokogiri library to version 1.19.4 or later.
Original NVD description (English source)
Nokogiri is an open source XML and HTML library for the Ruby programming language. Prior to 1.19.4, XInclude substitution performed by Nokogiri::XML::Node#do_xinclude replaced each <xi:include> in place, freeing the include node along with its children (such as <xi:fallback> and its descendants) and any namespaces declared on them. If an application had already exposed one of those nodes or namespaces to Ruby, the corresponding Ruby object was left pointing at freed memory. Using the object could result in invalid reads or writes to memory. This vulnerability is fixed in 1.19.4.

