CVE-2026-57438 | Nokogiri is an open source XML and HTML library for the Ruby… | CVSS 2.2 LOW

Description

Nokogiri is an open source XML and HTML library for the Ruby programming language. Prior to 1.19.4, XInclude substitution performed by Nokogiri::XML::Node#do_xinclude replaced each <xi:include> in place, freeing the include node along with its children (such as <xi:fallback> and its descendants) and any namespaces declared on them. If an application had already exposed one of those nodes or namespaces to Ruby, the corresponding Ruby object was left pointing at freed memory. Using the object could result in invalid reads or writes to memory. This vulnerability is fixed in 1.19.4.

Metadata

CVE ID: CVE-2026-57438
State: PUBLISHED
Assigner: GitHub_M
Reserved: 2026-06-24 13:21 UTC
Published: 2026-06-25 14:39 UTC
Last updated: 2026-06-25 16:23 UTC
Primary CWE: CWE-416
CWE-416: Use After Free
Vendor / Product: sparklemotion / nokogiri
Sources: cve.org · NVD

Severity & Metrics

2.2 LOW CVSS 4.0

CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:U

SSVC — CISA Coordinator

Exploitation: none
Automatable: no
Tech. Impact: partial

Affected products (1)

Vendor	Product	Platform	Versions
sparklemotion	nokogiri	—	< 1.19.4

Weakness (CWE)

CWE	Source	Description
CWE-416	cna	CWE-416: Use After Free

CVSS scores (1)

Score	Severity	Version	Source	Vector
2.2	LOW	4.0	cna	CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:U

References (1)

https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-wfpw-mmfh-qq69 https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-wfpw-mmfh-qq69