Description
Nokogiri is an open source XML and HTML library for the Ruby programming language. Prior to 1.19.4, the NONET parse option, which Nokogiri turns on by default for Nokogiri::XML::Schema (see CVE-2020-26247), was not correctly enforced on the JRuby implementation. As a result, a schema parsed with default options could still cause external resources to be fetched over the network, potentially enabling SSRF or XXE attacks. This vulnerability is fixed in 1.19.4.
Published: 2026-06-25
Score: 2.6 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in Nokogiri’s JRuby implementation allows XML::Schema parsing to ignore the NONET option, enabling external network resources to be fetched during schema validation. This behavior can be leveraged for Server‑Side Request Forgery or XML External Entity attacks, exposing confidential data, modifying internal state, or disrupting application availability. The weakness corresponds to improper input validation and error handling (CWE-178, CWE-184, CWE-611).

Affected Systems

The impact applies to systems that include the Sparklemotion Nokogiri library for Ruby, specifically any versions before 1.19.4 that run under JRuby. The vulnerability is present in the analysis of XML schemas when the default NONET enforcement is bypassed.

Risk and Exploitability

The CVSS score of 2.6 indicates low overall severity, and the EPSS score is not available, suggesting limited known exploitation. The vulnerability is not listed in the CISA KEV catalog. The likely attack path involves a local or remote attacker that can supply a crafted XML schema to the application; the attacker need not exploit a transport channel because the flaw is exercised during local library calls. The default JRuby configuration fails to enforce NONET, so the application code itself must explicitly set or enforce the option for safe operation.

Generated by OpenCVE AI on June 25, 2026 at 15:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply Nokogiri version 1.19.4 or later, which enforces the NONET option in XML::Schema parsing on JRuby.
  • If a library upgrade is not immediately possible, modify the application to explicitly set the NONET option when parsing any XML schema on JRuby, ensuring that external resource fetching is blocked.
  • Consider transitioning away from JRuby if the application consistently uses Nokogiri XML schema parsing and cannot guarantee enforcement of NONET, or deploy a temporary workaround that disables XML::Schema parsing on JRuby until the patch is applied.

Generated by OpenCVE AI on June 25, 2026 at 15:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 27 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

threat_severity

Low


Fri, 26 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Sparklemotion
Sparklemotion nokogiri
Vendors & Products Sparklemotion
Sparklemotion nokogiri

Thu, 25 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 25 Jun 2026 14:45:00 +0000

Type Values Removed Values Added
Description Nokogiri is an open source XML and HTML library for the Ruby programming language. Prior to 1.19.4, the NONET parse option, which Nokogiri turns on by default for Nokogiri::XML::Schema (see CVE-2020-26247), was not correctly enforced on the JRuby implementation. As a result, a schema parsed with default options could still cause external resources to be fetched over the network, potentially enabling SSRF or XXE attacks. This vulnerability is fixed in 1.19.4.
Title Nokogiri: XML::Schema on JRuby allows network requests when NONET is set, bypassing CVE-2020-26247
Weaknesses CWE-178
CWE-184
CWE-611
References
Metrics cvssV3_1

{'score': 2.6, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N'}


Subscriptions

Sparklemotion Nokogiri
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-25T15:05:42.484Z

Reserved: 2026-06-24T02:21:33.812Z

Link: CVE-2026-57234

cve-icon Vulnrichment

Updated: 2026-06-25T15:05:38.781Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Low

Publid Date: 2026-06-25T14:30:20Z

Links: CVE-2026-57234 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T09:37:28Z

Weaknesses
  • CWE-178

    Improper Handling of Case Sensitivity

  • CWE-184

    Incomplete List of Disallowed Inputs

  • CWE-611

    Improper Restriction of XML External Entity Reference