Multiple security vulnerabilities affecting secure_headers versions < 7.3.0 with affected versions ** `<= 7 have been identified in secure_headers which affects RubyGems. The overall risk/impact is medium to high as an attacker can embed a literal; and inject an arbitrary CSP directive into the header value. Affected versions include <= 7.2.0.
CVE-2026-54163 (CVSS 4.7 — Medium): An attacker can embed a literal; and inject an arbitrary CSP directive into the header value when given untrusted input. The vulnerability is in the build_sandbox_list_directive, build_media_type_list_directive, and build_report_to_directive functions which interpolate caller-supplied strings into the Content-Security-Policy value without scrubbing;,, or.[/subscribe_to_unlock_form]
Multiple security vulnerabilities affecting secure_headers versions < 7.3.0 with affected versions ** `<= 7 have been identified in secure_headers which affects RubyGems. The overall risk/impact is medium to high as an attacker can embed a literal; and inject an arbitrary CSP directive into the header value. Affected versions include <= 7.2.0.
CVE-2026-54163 (CVSS 4.7 — Medium): An attacker can embed a literal; and inject an arbitrary CSP directive into the header value when given untrusted input. The vulnerability is in the build_sandbox_list_directive, build_media_type_list_directive, and build_report_to_directive functions which interpolate caller-supplied strings into the Content-Security-Policy value without scrubbing;,, or.[emaillocker id="1283"]
These vulnerabilities collectively present a significant risk to applications that set :sandbox, :plugin_types, or :report_to only from static configuration are not exploitable.
We recommend you to update secure_headers to version 7.3.0.
The following reports contain further technical details:
[/emaillocker]