CVE-2026-34060 Shopify — Exploit & Vulnerability Details HIGH

CVE-2026-34060

HIGH CVSS 4.0: 7.1 EPSS 0.08%

Parameter	Value
CVSS	7.1 (HIGH)
Type	CWE-94 (Code Injection)
Vendor	Shopify
Public PoC	No

Ruby LSP is an implementation of the language server protocol for Ruby. Prior to Shopify.ruby-lsp version 0.10.2 and ruby-lsp version 0.26.9, the rubyLsp.branch VS Code workspace setting was interpolated without sanitization into a generated Gemfile, allowing arbitrary Ruby code execution when a user opens a project containing a malicious .vscode/settings.json. This issue has been patched in Shopify.ruby-lsp version 0.10.2 and ruby-lsp version 0.26.9.

Attack Parameters

Attack Vector

Local

Requires local access

Attack Complexity

Low

Easy to exploit

Attack Requirements

Present

Additional conditions required

Privileges Required

None

No privileges needed

User Interaction

Active

User action required

Impact Assessment

Confidentiality

High

Complete data leak

Integrity

High

Complete data modification

Availability

High

Complete denial of service

CVSS Vector v4.0

Weakness Type (CWE)

CWE-94 Code Injection

References 2

https://github.com/Shopify/ruby-lsp/releases/tag/v0.26.9

security-advisories@github.com

https://github.com/Shopify/ruby-lsp/security/advisories/GHSA-c4r5-fxqw-vh93

security-advisories@github.com

Share Post Share Share Share

Related Vulnerabilities

CVE-2026-39412

Shopify

5.3

CVE-2026-33287

Shopify

7.5

CVE-2026-33285

Shopify

7.5

CVE-2026-30952

Shopify

8.7

Menu

CVE-2026-34060

Attack Parameters

Impact Assessment

CVSS Vector v4.0

Weakness Type (CWE)

References 2

Related Vulnerabilities

CVE-2026-39412

CVE-2026-33287

CVE-2026-33285

CVE-2026-30952

CVE Details

Editor's Choice

Menu

CVE-2026-34060

Attack Parameters

Impact Assessment

CVSS Vector v4.0

Weakness Type (CWE)

References 2

Related Vulnerabilities

CVE-2026-39412

CVE-2026-33287

CVE-2026-33285

CVE-2026-30952

CVE Details

Editor's Choice

Stay informed on cybersecurity