Ruby on Rails carries two concurrent denial-of-service CVEs this period, both high severity (CVSS 7.5) and both unauthenticated. CVE-2026-33174 targets Active Storage proxy delivery mode, allowing memory exhaustion via unbounded Range headers on file download endpoints; CVE-2026-33176 exploits Active Support’s number formatting helpers, where BigDecimal expansion of scientific notation strings causes uncontrolled memory and CPU consumption. Both share the same patched release targets (8.1.2.1, 8.0.4.1, 7.2.3.1) and can be remediated in a single upgrade cycle; organizations should apply the patch for both concurrently and evaluate whether Active Storage proxy delivery mode is operationally required, as switching to redirect mode eliminates CVE-2026-33174’s attack surface entirely.