CVE-2026-57234
Nokogiri: XML::Schema on JRuby allows network requests when NONET is set, bypassing CVE-2020-26247
CVSS Score
2.6
EPSS Score
0.0%
EPSS Percentile
0th
Nokogiri is an open source XML and HTML library for the Ruby programming language. Prior to 1.19.4, the NONET parse option, which Nokogiri turns on by default for Nokogiri::XML::Schema (see CVE-2020-26247), was not correctly enforced on the JRuby implementation. As a result, a schema parsed with default options could still cause external resources to be fetched over the network, potentially enabling SSRF or XXE attacks. This vulnerability is fixed in 1.19.4.
| CWE | CWE-178 CWE-184 CWE-611 |
| Vendor | sparklemotion |
| Product | nokogiri |
| Published | Jun 25, 2026 |
| Last Updated | Jun 25, 2026 |
Stay Ahead of the Next One
Get instant alerts for sparklemotion nokogiri
Be the first to know when new low vulnerabilities affecting sparklemotion nokogiri are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None
Affected Versions
sparklemotion / nokogiri
< 1.19.4