Fix false positives with CVE-2026-33658 (#1020).

postmodern · postmodern · commit 0cd4566acf5a · 2026-03-26T15:48:04.000-07:00
* activestorage 8.0.5 and 8.1.3 are considered patched. https://rubyonrails.org/2026/3/24/Rails-Versions-8-0-5-and-8-1-3-have-been-released
diff --git a/gems/activestorage/CVE-2026-33658.yml b/gems/activestorage/CVE-2026-33658.yml
@@ -15,8 +15,8 @@ description: |
   ranges causes disproportionate CPU usage compared to a normal
   request for the same file, possibly resulting in a DoS vulnerability.
 patched_versions:
-  - "~> 7.2.3.1"
-  - "~> 8.0.4.1"
+  - "~> 7.2.3, >= 7.2.3.1"
+  - "~> 8.0.4, >= 8.0.4.1"
   - ">= 8.1.2.1"
 related:
   url:
