rubysec · jasnow · Jan 23, 2026 · Jan 31, 2026 · Jan 31, 2026 · Jan 31, 2026
diff --git a/rubies/mruby/CVE-2025-7207.yml b/rubies/mruby/CVE-2025-7207.yml
@@ -0,0 +1,36 @@
+---
+engine: mruby
+cve: 2025-7207
+ghsa: 48pr-6hvf-39v3
+url: https://nvd.nist.gov/vuln/detail/CVE-2025-7207
+title: Heap-based buffer overflow vulnerability in mruby 3.4.0-rc2
+date: 2025-07-08
+description: |
+  A vulnerability, which was classified as problematic, was found
+  in mruby up to 3.4.0-rc2. Affected is the function scope_new of
+  the file mrbgems/mruby-compiler/core/codegen.c of the component
+  nregs Handler. The manipulation leads to heap-based buffer overflow.
+  An attack has to be approached locally. The exploit has been
+  disclosed to the public and may be used. The name of the patch
+  is 1fdd96104180cc0fb5d3cb086b05ab6458911bb9. It is recommended
+  to apply a patch to fix this issue.
+
+  ## RELEASE NOTES
+  - Found Issue #6509 listed in **unreleased** mruby 3.5 NEWS.md
+    file listed below.
+cvss_v2: 1.7
+cvss_v3: 5.5
+cvss_v4: 4.4
+notes: "Never patched  - mruby 3.5.0 has not be released as 1/23/2026."
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2025-7207
+    - https://github.com/mruby/mruby/blob/master/NEWS.md
+    - https://github.com/mruby/mruby/commit/1fdd96104180cc0fb5d3cb086b05ab6458911bb9
+    - https://github.com/mruby/mruby/issues/6509#event-17145516649
+    - https://github.com/mruby/mruby/issues/6509
+    - https://vuldb.com/?ctiid.315156
+    - https://vuldb.com/?id.315156
+    - https://vuldb.com/?submit.607683
+    - https://www.wiz.io/vulnerability-database/cve/cve-2025-7207
+    - https://github.com/advisories/GHSA-48pr-6hvf-39v3
diff --git a/rubies/ruby/CVE-2024-27282.yml b/rubies/ruby/CVE-2024-27282.yml