{"api_version":"1","generated_at":"2026-04-23T02:35:36+00:00","cve":"CVE-2020-26247","urls":{"html":"https://cve.report/CVE-2020-26247","api":"https://cve.report/api/cve/CVE-2020-26247.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2020-26247","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2020-26247"},"summary":{"title":"CVE-2020-26247","description":"Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. In Nokogiri before version 1.11.0.rc4 there is an XXE vulnerability. XML Schemas parsed by Nokogiri::XML::Schema are trusted by default, allowing external resources to be accessed over the network, potentially enabling XXE or SSRF attacks. This behavior is counter to the security policy followed by Nokogiri maintainers, which is to treat all input as untrusted by default whenever possible. This is fixed in Nokogiri version 1.11.0.rc4.","state":"PUBLIC","assigner":"security-advisories@github.com","published_at":"2020-12-30 19:15:00","updated_at":"2022-10-19 18:53:00"},"problem_types":["CWE-611"],"metrics":[],"references":[{"url":"https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-vr8q-g5c7-m54m","name":"https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-vr8q-g5c7-m54m","refsource":"CONFIRM","tags":["Mitigation","Third Party Advisory"],"title":"Nokogiri::XML::Schema trusts input by default, exposing risk of an XXE vulnerability · Advisory · sparklemotion/nokogiri · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"0"},{"url":"https://lists.debian.org/debian-lts-announce/2021/06/msg00007.html","name":"[debian-lts-announce] 20210606 [SECURITY] [DLA 2678-1] ruby-nokogiri security update","refsource":"MLIST","tags":[],"title":"[SECURITY] [DLA 2678-1] ruby-nokogiri security update","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://security.gentoo.org/glsa/202208-29","name":"GLSA-202208-29","refsource":"GENTOO","tags":[],"title":"Nokogiri: Multiple Vulnerabilities (GLSA 202208-29) — Gentoo security","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.debian.org/debian-lts-announce/2022/10/msg00018.html","name":"[debian-lts-announce] 20221012 [SECURITY] [DLA 3149-1] ruby-nokogiri security update","refsource":"MLIST","tags":[],"title":"[SECURITY] [DLA 3149-1] ruby-nokogiri security update","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://rubygems.org/gems/nokogiri","name":"https://rubygems.org/gems/nokogiri","refsource":"MISC","tags":["Product","Third Party Advisory"],"title":"nokogiri | RubyGems.org | your community gem host","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://hackerone.com/reports/747489","name":"https://hackerone.com/reports/747489","refsource":"MISC","tags":["Permissions Required"],"title":"HackerOne","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://github.com/sparklemotion/nokogiri/releases/tag/v1.11.0.rc4","name":"https://github.com/sparklemotion/nokogiri/releases/tag/v1.11.0.rc4","refsource":"MISC","tags":["Release Notes","Third Party Advisory"],"title":"Release v1.11.0.rc4 / 2020-12-29 · sparklemotion/nokogiri · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://github.com/sparklemotion/nokogiri/commit/9c87439d9afa14a365ff13e73adc809cb2c3d97b","name":"https://github.com/sparklemotion/nokogiri/commit/9c87439d9afa14a365ff13e73adc809cb2c3d97b","refsource":"MISC","tags":["Patch","Third Party Advisory"],"title":"feat: XML::Schema and RelaxNG creation accept optional ParseOptions · sparklemotion/nokogiri@9c87439 · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2020-26247","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-26247","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2020","cve_id":"26247","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"debian","cpe5":"debian_linux","cpe6":"10.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"26247","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"debian","cpe5":"debian_linux","cpe6":"9.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"26247","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"nokogiri","cpe5":"nokogiri","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"ruby","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"26247","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"nokogiri","cpe5":"nokogiri","cpe6":"1.11.0","cpe7":"rc1","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"ruby","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"26247","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"nokogiri","cpe5":"nokogiri","cpe6":"1.11.0","cpe7":"rc2","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"ruby","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"26247","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"nokogiri","cpe5":"nokogiri","cpe6":"1.11.0","cpe7":"rc3","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"ruby","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"26247","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"nokogiri","cpe5":"nokogiri","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"ruby","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"26247","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"nokogiri","cpe5":"nokogiri","cpe6":"1.11.0","cpe7":"rc1","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"ruby","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"26247","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"nokogiri","cpe5":"nokogiri","cpe6":"1.11.0","cpe7":"rc2","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"ruby","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"26247","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"nokogiri","cpe5":"nokogiri","cpe6":"1.11.0","cpe7":"rc3","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"ruby","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2020-26247","qid":"178661","title":"Debian Security Update for ruby-nokogiri (DLA 2678-1)"},{"cve":"CVE-2020-26247","qid":"181134","title":"Debian Security Update for ruby-nokogiri (DLA 3149-1)"},{"cve":"CVE-2020-26247","qid":"239895","title":"Red Hat Update for Satellite 6.10 (RHSA-2021:4702)"},{"cve":"CVE-2020-26247","qid":"501920","title":"Alpine Linux Security Update for ruby-nokogiri"},{"cve":"CVE-2020-26247","qid":"690369","title":"Free Berkeley Software Distribution (FreeBSD) Security Update for nokogiri (13c54e6d-5c45-11eb-b4e2-001b217b3468)"},{"cve":"CVE-2020-26247","qid":"710597","title":"Gentoo Linux Nokogiri Multiple Vulnerabilities (GLSA 202208-29)"},{"cve":"CVE-2020-26247","qid":"750375","title":"OpenSUSE Security Update for rubygem-nokogiri (openSUSE-SU-2021:0237-1)"}]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"security-advisories@github.com","ID":"CVE-2020-26247","STATE":"PUBLIC","TITLE":"XXE in Nokogiri"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"nokogiri","version":{"version_data":[{"version_value":"< 1.11.0.rc4"}]}}]},"vendor_name":"sparklemotion"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. In Nokogiri before version 1.11.0.rc4 there is an XXE vulnerability. XML Schemas parsed by Nokogiri::XML::Schema are trusted by default, allowing external resources to be accessed over the network, potentially enabling XXE or SSRF attacks. This behavior is counter to the security policy followed by Nokogiri maintainers, which is to treat all input as untrusted by default whenever possible. This is fixed in Nokogiri version 1.11.0.rc4."}]},"impact":{"cvss":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":2.6,"baseSeverity":"LOW","confidentialityImpact":"LOW","integrityImpact":"NONE","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N","version":"3.1"}},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-611: Improper Restriction of XML External Entity Reference"}]}]},"references":{"reference_data":[{"name":"https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-vr8q-g5c7-m54m","refsource":"CONFIRM","url":"https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-vr8q-g5c7-m54m"},{"name":"https://rubygems.org/gems/nokogiri","refsource":"MISC","url":"https://rubygems.org/gems/nokogiri"},{"name":"https://hackerone.com/reports/747489","refsource":"MISC","url":"https://hackerone.com/reports/747489"},{"name":"https://github.com/sparklemotion/nokogiri/releases/tag/v1.11.0.rc4","refsource":"MISC","url":"https://github.com/sparklemotion/nokogiri/releases/tag/v1.11.0.rc4"},{"name":"https://github.com/sparklemotion/nokogiri/commit/9c87439d9afa14a365ff13e73adc809cb2c3d97b","refsource":"MISC","url":"https://github.com/sparklemotion/nokogiri/commit/9c87439d9afa14a365ff13e73adc809cb2c3d97b"},{"refsource":"MLIST","name":"[debian-lts-announce] 20210606 [SECURITY] [DLA 2678-1] ruby-nokogiri security update","url":"https://lists.debian.org/debian-lts-announce/2021/06/msg00007.html"},{"refsource":"GENTOO","name":"GLSA-202208-29","url":"https://security.gentoo.org/glsa/202208-29"},{"refsource":"MLIST","name":"[debian-lts-announce] 20221012 [SECURITY] [DLA 3149-1] ruby-nokogiri security update","url":"https://lists.debian.org/debian-lts-announce/2022/10/msg00018.html"}]},"source":{"advisory":"GHSA-vr8q-g5c7-m54m","discovery":"UNKNOWN"}},"nvd":{"publishedDate":"2020-12-30 19:15:00","lastModifiedDate":"2022-10-19 18:53:00","problem_types":["CWE-611"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE","baseScore":4.3,"baseSeverity":"MEDIUM"},"exploitabilityScore":2.8,"impactScore":1.4},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:L/Au:S/C:P/I:N/A:N","accessVector":"NETWORK","accessComplexity":"LOW","authentication":"SINGLE","confidentialityImpact":"PARTIAL","integrityImpact":"NONE","availabilityImpact":"NONE","baseScore":4},"severity":"MEDIUM","exploitabilityScore":8,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:nokogiri:nokogiri:*:*:*:*:*:ruby:*:*","versionEndExcluding":"1.11.0","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:nokogiri:nokogiri:1.11.0:rc1:*:*:*:ruby:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:nokogiri:nokogiri:1.11.0:rc2:*:*:*:ruby:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:nokogiri:nokogiri:1.11.0:rc3:*:*:*:ruby:*:*","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2020","CveId":"26247","Ordinal":"187669","Title":"CVE-2020-26247","CVE":"CVE-2020-26247","Year":"2020"},"notes":[{"CveYear":"2020","CveId":"26247","Ordinal":"1","NoteData":"Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. In Nokogiri before version 1.11.0.rc4 there is an XXE vulnerability. XML Schemas parsed by Nokogiri::XML::Schema are trusted by default, allowing external resources to be accessed over the network, potentially enabling XXE or SSRF attacks. This behavior is counter to the security policy followed by Nokogiri maintainers, which is to treat all input as untrusted by default whenever possible. This is fixed in Nokogiri version 1.11.0.rc4.","Type":"Description","Title":null},{"CveYear":"2020","CveId":"26247","Ordinal":"2","NoteData":"2020-12-30","Type":"Other","Title":"Published"},{"CveYear":"2020","CveId":"26247","Ordinal":"3","NoteData":"2021-06-06","Type":"Other","Title":"Modified"}]}}}