GHSA-vr8q-g5c7-m54m · Severity: medium · Ecosystem: rubygems — Nokogiri::XML::Schema trusts input by default, exposing risk of XXE vulnerability
Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. In Nokogiri before version 1.11.0.rc4 there is an XXE vulnerability. XML Schemas parsed by Nokogiri::XML::Schema are trusted by default, allowing external resources to be accessed over the network, potentially enabling XXE or SSRF attacks. This behavior is counter to the security policy followed by Nokogiri maintainers, which is to treat all input as untrusted by default whenever possible. This is fixed in Nokogiri version 1.11.0.rc4.
Conclusion & alert: CVE-2020-26247 is rated Low Risk (31.8/100): CVSS Low severity, with medium exploitation likelihood (EPSS 1.11%). Mandatory action: Monitor for updates and reassess as exploit intelligence or EPSS changes.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-30 | 1.29% | 1.11% | -0.18% |
| 2 | 2026-06-15 | 0.26% | 1.29% | +1.03% |
| 3 | 2026-05-27 | — | 0.26% | — |
Full EPSS history (30 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 2.6 | 3.1 | LOW |
|
1.2 | 1.4 | [email protected] |
| 4.3 | 3.1 | MEDIUM |
|
2.8 | 1.4 | [email protected] |
| 4.0 | 2.0 | MEDIUM |
|
8.0 | 2.9 | [email protected] |
GHSA-vr8q-g5c7-m54m · Severity: medium · Ecosystem: rubygems — Nokogiri::XML::Schema trusts input by default, exposing risk of XXE vulnerability
| vendor | priority | summary | link |
|---|---|---|---|
alpine
|
medium | CVE-2020-26247: 1 source package rows (ruby-nokogiri); 9 state rows across 7 repos (3.17-community, 3.18-community, 3.19-community, 3.20-community, 3.21-community, 3.22-community, edge-community); fixed 7, open 2. | https://security.alpinelinux.org/vuln/CVE-2020-26247 |
debian
|
low | CVE-2020-26247 low priority: Debian including 1 source packages (ruby-nokogiri), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 5. | https://security-tracker.debian.org/tracker/CVE-2020-26247 |
gentoo
|
low | CVE-2020-26247: 1 GLSA(s) (202208-29), 1 atom(s) (dev-ruby/nokogiri); latest impact low. | https://bugs.gentoo.org/buglist.cgi?quicksearch=CVE-2020-26247 |
redhat
|
medium | — | https://access.redhat.com/security/cve/CVE-2020-26247 |
suse
|
medium | CVE-2020-26247 severity moderate: SUSE including 311 source package names (amazon/suse-sles-15-sp1-chost-byos-v20210304-hvm-ssd-x86_64, amazon/suse-sles-15-sp1-chost-byos-v20220127-hvm-ssd-x86_64, …), 422 product×package rows across 44 product lines (HPE Helion OpenStack 8, Image SLES15-SP3-BYOS-Azure, … (44 product lines)): Known Affected 231, Fixed 191. | https://www.suse.com/security/cve/CVE-2020-26247/ |
ubuntu
|
medium | CVE-2020-26247 medium priority: Ubuntu including 1 source packages (ruby-nokogiri), 15 status rows across 15 suites (bionic, focal, groovy, hirsute, impish, jammy, kinetic, lunar, mantic, noble, oracular, plucky, trusty, upstream, xenial): not-affected 7, ignored 6, released 2. | https://ubuntu.com/security/CVE-2020-26247 |
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| nokogiri | nokogiri | < 1.11.0 | cpe:2.3:a:nokogiri:nokogiri:*:*:*:*:*:ruby:*:* |
| nokogiri | nokogiri | 1.11.0 | cpe:2.3:a:nokogiri:nokogiri:1.11.0:rc1:*:*:*:ruby:*:* |
| nokogiri | nokogiri | 1.11.0 | cpe:2.3:a:nokogiri:nokogiri:1.11.0:rc2:*:*:*:ruby:*:* |
| nokogiri | nokogiri | 1.11.0 | cpe:2.3:a:nokogiri:nokogiri:1.11.0:rc3:*:*:*:ruby:*:* |
| debian | debian_linux | 9.0 | cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:* |
| debian | debian_linux | 10.0 | cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:* |
| URL | Tags |
|---|---|
| https://github.com/sparklemotion/nokogiri/commit/9c87439d9afa14a365ff13e73adc809cb2c3d97b | Patch Third Party Advisory |
| https://github.com/sparklemotion/nokogiri/releases/tag/v1.11.0.rc4 | Release Notes Third Party Advisory |
| https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-vr8q-g5c7-m54m | Mitigation Third Party Advisory |
| https://hackerone.com/reports/747489 | Permissions Required |
| https://lists.debian.org/debian-lts-announce/2021/06/msg00007.html | Mailing List Third Party Advisory |
| https://lists.debian.org/debian-lts-announce/2022/10/msg00018.html | Mailing List Third Party Advisory |
| https://rubygems.org/gems/nokogiri | Product Third Party Advisory |
| https://security.gentoo.org/glsa/202208-29 | Third Party Advisory |