CVE-2026-57437

Nokogiri is an open source XML and HTML library for the Ruby programming language. Prior to 1.19.4, Nokogiri::XML::XPathContext did not keep its source document alive for garbage collection. If an XPathContext outlived its document and the document was collected, evaluating an XPath expression could read invalid memory and potentially segfault. This is only reachable when application code constructs an XPathContext directly and lets the document become unreachable while continuing to use the context. The normal Document#xpath, #css, and related search methods are not affected, and it is not triggerable by malicious document input. This vulnerability is fixed in 1.19.4.
References
Configurations

Configuration 1 (hide)

cpe:2.3:a:nokogiri:nokogiri:*:*:*:*:*:ruby:*:*

History

26 Jun 2026, 16:47

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 5.3
First Time Nokogiri
Nokogiri nokogiri
References () https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-p67v-3w7g-wjg7 - () https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-p67v-3w7g-wjg7 - Mitigation, Vendor Advisory
CPE cpe:2.3:a:nokogiri:nokogiri:*:*:*:*:*:ruby:*:*

25 Jun 2026, 15:16

Type Values Removed Values Added
New CVE

Information

Published : 2026-06-25 15:16

Updated : 2026-06-26 16:47


NVD link : CVE-2026-57437

Mitre link : CVE-2026-57437

CVE.ORG link : CVE-2026-57437


JSON object : View

Products Affected

nokogiri

  • nokogiri
CWE
CWE-416

Use After Free