PT-2026-28598 · Ruby-Lsp+1 · Ruby-Lsp+1
Vinistock
·
Published
2026-03-27
·
Updated
2026-03-31
·
CVE-2026-34060
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
ruby-lsp versions prior to 0.10.2
ruby-lsp gem versions prior to 0.26.9
Description
The
rubyLsp.branch VS Code workspace setting was used in generating a Gemfile without proper sanitization, potentially allowing arbitrary Ruby code execution when opening a project with a malicious .vscode/settings.json. This impacts editors that automatically apply workspace settings upon opening and trusting the workspace. Ruby LSP operates under the assumption that workspace code is trusted, and opening an untrusted workspace could lead to the execution of dangerous code. The branch CLI argument and setting have been removed to address this.Recommendations
Update to ruby-lsp extension version 0.10.2 or later.
Update the ruby-lsp gem to version 0.26.9 or later.
Exploit
Fix
Code Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Vscode
Ruby-Lsp