cvedb.io
CVE-2026-44587
MEDIUM · CVSS 4.7
EPSS exploitation probability: 0%
Published 2026-06-17T13:20:40.703 · Last modified 2026-06-18T15:24:29.620

Summary

CarrierWave is a framework to upload files from Ruby applications. In versions prior to 2.2.7 and 3.1.3, the content_type_denylist check fails to escape regex metacharacters in string entries, causing the denylist to silently not match the content types it is intended to block. In lib/carrierwave/uploader/content_type_denylist.rb:57, denylist entries are interpolated directly into a regex without Regexp.quote or anchoring, so an entry such as image/svg+xml becomes the pattern /image\/svg+xml/, in which + is treated as a quantifier rather than a literal character and therefore never matches the real MIME type image/svg+xml. This is inconsistent with the allowlist implementation, which correctly applies both Regexp.quote and a \A anchor. Other content types containing regex metacharacters, s

Affected products

carrierwave_project — carrierwave

Does this affect you?

Add your gear to cvedb and we'll alert you only when carrierwave_project ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.