Ruby vulnerabilities: known CVEs & security history
Ruby · Web / Runtime · 112 tracked CVEs · 0 actively exploited · updated June 2026 · what is a CVE? →
This is the full list of known vulnerabilities (CVEs) across all Ruby release lines — 112 in total. A CVE here doesn't mean your version is affected — check Ruby's current status and the safe version to run.
Known Ruby CVEs
Actively-exploited and most-severe first. Showing the top 80 of 112. Open any CVE for full details.
| CVE | Severity | CVSS | EPSS | Year |
|---|---|---|---|---|
| CVE-2016-2338 | critical | 9.8 | 5% | 2022 |
| CVE-2022-28738 | critical | 9.8 | 3% | 2022 |
| CVE-2021-41816 | critical | 9.8 | 5% | 2022 |
| CVE-2011-4121 | critical | 9.8 | 3% | 2019 |
| CVE-2018-16395 | critical | 9.8 | 11% | 2018 |
| CVE-2017-17790 | critical | 9.8 | 6% | 2017 |
| CVE-2017-14064 | critical | 9.8 | 9% | 2017 |
| CVE-2017-11465 | critical | 9.8 | 2% | 2017 |
| CVE-2017-9225 | critical | 9.8 | 3% | 2017 |
| CVE-2016-2339 | critical | 9.8 | 5% | 2017 |
| CVE-2016-2337 | critical | 9.8 | 6% | 2017 |
| CVE-2016-2336 | critical | 9.8 | 3% | 2017 |
| CVE-2018-8780 | critical | 9.1 | 10% | 2018 |
| CVE-2017-0898 | critical | 9.1 | 10% | 2017 |
| CVE-2013-1948 | high | 10 | 2% | 2013 |
| CVE-2009-4124 | high | 10 | 4% | 2009 |
| CVE-2008-2662 | high | 10 | 4% | 2008 |
| CVE-2008-2663 | high | 10 | 4% | 2008 |
| CVE-2013-1947 | high | 9.3 | 2% | 2013 |
| CVE-2013-1933 | high | 9.3 | 2% | 2013 |
| CVE-2021-33621 | high | 8.8 | 2% | 2022 |
| CVE-2017-17405 | high | 8.8 | 74% | 2017 |
| CVE-2017-10784 | high | 8.8 | 16% | 2017 |
| CVE-2015-7551 | high | 8.4 | 1% | 2016 |
| CVE-2026-46727 | high | 8.1 | 0% | 2026 |
| CVE-2019-16255 | high | 8.1 | 4% | 2019 |
| CVE-2018-16396 | high | 8.1 | 8% | 2018 |
| CVE-2011-4815 | high | 7.8 | 4% | 2011 |
| CVE-2008-4310 | high | 7.8 | 14% | 2008 |
| CVE-2008-3656 | high | 7.8 | 70% | 2008 |
| CVE-2008-2664 | high | 7.8 | 4% | 2008 |
| CVE-2008-2725 | high | 7.8 | 4% | 2008 |
| CVE-2008-2726 | high | 7.8 | 4% | 2008 |
| CVE-2024-49761 | high | 7.5 | 1% | 2024 |
| CVE-2024-26142 | high | 7.5 | 1% | 2024 |
| CVE-2023-22795 | high | 7.5 | 2% | 2023 |
| CVE-2022-28739 | high | 7.5 | 4% | 2022 |
| CVE-2021-41819 | high | 7.5 | 3% | 2022 |
| CVE-2021-41817 | high | 7.5 | 3% | 2022 |
| CVE-2021-28966 | high | 7.5 | 58% | 2021 |
| CVE-2021-28965 | high | 7.5 | 5% | 2021 |
| CVE-2020-25613 | high | 7.5 | 4% | 2020 |
| CVE-2020-10663 | high | 7.5 | 7% | 2020 |
| CVE-2019-16201 | high | 7.5 | 5% | 2019 |
| CVE-2018-8779 | high | 7.5 | 7% | 2018 |
| CVE-2018-8778 | high | 7.5 | 8% | 2018 |
| CVE-2018-8777 | high | 7.5 | 5% | 2018 |
| CVE-2018-6914 | high | 7.5 | 11% | 2018 |
| CVE-2017-14033 | high | 7.5 | 8% | 2017 |
| CVE-2014-6438 | high | 7.5 | 4% | 2017 |
| CVE-2017-9229 | high | 7.5 | 5% | 2017 |
| CVE-2017-6181 | high | 7.5 | 4% | 2017 |
| CVE-2013-5647 | high | 7.5 | 2% | 2013 |
| CVE-2013-0175 | high | 7.5 | 4% | 2013 |
| CVE-2013-1655 | high | 7.5 | 5% | 2013 |
| CVE-2009-4492 | high | 7.5 | 16% | 2010 |
| CVE-2008-3655 | high | 7.5 | 14% | 2008 |
| CVE-2008-3657 | high | 7.5 | 13% | 2008 |
| CVE-2008-2376 | high | 7.5 | 4% | 2008 |
| CVE-2021-32066 | high | 7.4 | 3% | 2021 |
| CVE-2009-5147 | high | 7.3 | 8% | 2017 |
| CVE-2010-2489 | high | 7.2 | 0% | 2010 |
| CVE-2021-31799 | high | 7 | 1% | 2021 |
| CVE-2013-4164 | medium | 6.8 | 35% | 2013 |
| CVE-2013-4073 | medium | 6.8 | 3% | 2013 |
| CVE-2013-0233 | medium | 6.8 | 14% | 2013 |
| CVE-2013-1911 | medium | 6.8 | 2% | 2013 |
| CVE-2011-0188 | medium | 6.8 | 3% | 2011 |
| CVE-2009-0642 | medium | 6.8 | 3% | 2009 |
| CVE-2012-5380 | medium | 6.7 | 1% | 2012 |
| CVE-2020-5247 | medium | 6.5 | 2% | 2020 |
| CVE-2019-15845 | medium | 6.5 | 3% | 2019 |
| CVE-2013-2065 | medium | 6.4 | 3% | 2013 |
| CVE-2011-1004 | medium | 6.3 | 0% | 2011 |
| CVE-2015-9096 | medium | 6.1 | 4% | 2017 |
| CVE-2015-1855 | medium | 5.9 | 3% | 2019 |
| CVE-2021-31810 | medium | 5.8 | 3% | 2021 |
| CVE-2014-2734 | medium | 5.8 | 5% | 2014 |
| CVE-2008-3905 | medium | 5.8 | 2% | 2008 |
| CVE-2023-28756 | medium | 5.3 | 2% | 2023 |
32 older / lower-severity CVEs not shown — see Ruby's full record.
Is my Ruby version affected?
The list above spans every release. To know whether your version is affected — and the minimum safe version to upgrade to — check it directly.
Check your Ruby version → · Monitor Ruby for new CVEs →
Ruby vulnerabilities — frequently asked
How many known vulnerabilities does Ruby have?
IsItPatched tracks 112 CVEs for Ruby. 14 are critical-severity and 49 high-severity. These span every release line — what matters is whether the version you run is affected.
Does Ruby have any actively-exploited vulnerabilities?
None of Ruby's tracked CVEs are currently in CISA's KEV catalog — but new ones can be added at any time, so keep your version current.
What is the most severe Ruby vulnerability?
Among tracked issues, CVE-2016-2338 (CRITICAL, CVSS 9.8) ranks highest — a Out-of-bounds write weakness.
Is Ruby safe to use?
It depends on the version. The latest supported Ruby release (4.0.5) clears the known issues; older versions may still be affected. Check the exact version you run for a verdict.
CVE data aggregated from NVD, CISA KEV and EPSS (FIRST.org). Related: Ruby security status · Ruby end-of-life · actively-exploited CVEs. Always verify against Ruby's advisories — see our disclaimer.