CVE-2026-57234 | Nokogiri is an open source XML and HTML library for the Ruby… | CVSS 2.6 LOW

Description

Nokogiri is an open source XML and HTML library for the Ruby programming language. Prior to 1.19.4, the NONET parse option, which Nokogiri turns on by default for Nokogiri::XML::Schema (see CVE-2020-26247), was not correctly enforced on the JRuby implementation. As a result, a schema parsed with default options could still cause external resources to be fetched over the network, potentially enabling SSRF or XXE attacks. This vulnerability is fixed in 1.19.4.

Metadata

CVE ID: CVE-2026-57234
State: PUBLISHED
Assigner: GitHub_M
Reserved: 2026-06-24 02:21 UTC
Published: 2026-06-25 14:30 UTC
Last updated: 2026-06-25 15:05 UTC
Primary CWE: CWE-178
CWE-178: Improper Handling of Case Sensitivity
Vendor / Product: sparklemotion / nokogiri
Sources: cve.org · NVD

Severity & Metrics

2.6 LOW CVSS 3.1

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N

SSVC — CISA Coordinator

Exploitation: none
Automatable: no
Tech. Impact: partial

Affected products (1)

Vendor	Product	Platform	Versions
sparklemotion	nokogiri	—	< 1.19.4

Weakness (CWE)

CWE	Source	Description
CWE-178	cna	CWE-178: Improper Handling of Case Sensitivity
CWE-184	cna	CWE-184: Incomplete List of Disallowed Inputs
CWE-611	cna	CWE-611: Improper Restriction of XML External Entity Reference

CVSS scores (1)

Score	Severity	Version	Source	Vector
2.6	LOW	3.1	cna	CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N

References (1)

https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-8678-w3jw-xfc2 https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-8678-w3jw-xfc2