CVE-2026-57234

Nokogiri: XML::Schema on JRuby allows network requests when NONET is set, bypassing CVE-2020-26247

CVSS 2.6 LOWEPSS 0.2%CWE-178 CWE-184 CWE-611

Vexday Risk Score

8Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 2.6EPSS 0.2%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

25 Jun 2026Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

Nokogiri is an open source XML and HTML library for the Ruby programming language. Prior to 1.19.4, the NONET parse option, which Nokogiri turns on by default for Nokogiri::XML::Schema (see CVE-2020-26247), was not correctly enforced on the JRuby implementation. As a result, a schema parsed with default options could still cause external resources to be fetched over the network, potentially enabling SSRF or XXE attacks. This vulnerability is fixed in 1.19.4.

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N

Affected products

sparklemotion · nokogiri

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-8678-w3jw-xfc2