Three Punctures Through a Polished Surface
Ruby on Rails occupies a distinctive position in the framework landscape. It powers Shopify, GitHub, and Basecamp. It has a loyal developer community, an opinionated architecture, and an 84.0 security score on WebPulse — a number that suggests a well-maintained platform. But the CISA Known Exploited Vulnerabilities catalog tells a story that aggregate scores do not.
Rails carries 3 entries in the KEV catalog, with the most recent added in July 2025. The KEV catalog is maintained by the Cybersecurity and Infrastructure Security Agency. It is not a theoretical risk assessment or an automated scan result. Each entry represents a vulnerability that has been confirmed exploited in the wild — used by threat actors against real targets in real operations.
The Resource Asymmetry
Shopify employs hundreds of security engineers. GitHub operates one of the largest bug bounty programs in the industry. These organizations can absorb KEV-listed vulnerabilities with dedicated incident response, rapid patching, and layered defensive architecture. The concern is not Shopify running Rails. The concern is the thousands of smaller organizations running the same framework without the same resources.
Rails' 137 total CVEs with only 3 rated high-severity suggests a framework that generates mostly manageable vulnerabilities. That profile is genuinely better than many alternatives. But the KEV entries add a dimension that severity ratings do not capture: confirmed weaponization. A medium-severity CVE that appears in the KEV catalog is operationally more dangerous than a high-severity CVE that no one has exploited.
The Zero-KEV Comparison
The contrast sharpens when measured against alternatives occupying adjacent architectural positions. Django — Rails' closest counterpart in the Python ecosystem — carries zero KEV entries. FastAPI, the rising alternative for API-first architectures, carries zero. Hugo, representing the static-site generation approach, carries zero.
Zero KEV is not the same as zero risk. It means that no vulnerability in these frameworks has been actively exploited at a scale that triggered federal catalog inclusion. That distinction matters for organizations making framework decisions with security as a weighted criterion.
The Decision Framework
Rails' 84.0 security score reflects genuine strengths — active maintenance, a responsive core team, and a relatively contained CVE profile. The KEV entries do not erase those strengths. They qualify them. Organizations evaluating Rails need to factor in not just how many vulnerabilities the framework accumulates, but whether those vulnerabilities have been actively exploited, and whether their security posture can absorb that reality. For organizations without dedicated security teams, the KEV catalog is the signal that separates theoretical risk from demonstrated exposure.


