Arbitrary Code Injection Affecting rd_searchlogic package, versions >=0.0.0


Severity

Recommended
0.0
critical
0
10

CVSS assessment by Snyk's Security Team. Learn more

Threat Intelligence

Exploit Maturity
Proof of Concept
EPSS
2.46% (83rd percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-RUBY-RDSEARCHLOGIC-14121731
  • published26 Nov 2025
  • disclosed20 Aug 2025
  • creditjoernchen

Introduced: 20 Aug 2025

CVE-2011-10026  (opens in a new tab)
CWE-78  (opens in a new tab)
CWE-94  (opens in a new tab)

How to fix?

There is no fixed version for rd_searchlogic.

Overview

rd_searchlogic is a Searchlogic makes using ActiveRecord named scopes easier and less repetitive.

Affected versions of this package are vulnerable to Arbitrary Code Injection via the search[instance_eval] parameter, which is dynamically invoked using the send method. An attacker can execute arbitrary commands on the server by injecting malicious input.

CVSS Base Scores

version 4.0
version 3.1