Ruby on Rails carries two concurrent high-severity denial-of-service CVEs this period: CVE-2026-33174 (CVSS 7.5) in Active Storage allows unauthenticated attackers to exhaust server memory via oversized Range headers on proxy delivery endpoints, and CVE-2026-33176 (CVSS 7.5) in Active Support allows resource exhaustion via scientific notation strings (e.g., ‘1e10000’) processed by number helper methods. Both vulnerabilities require no authentication and affect all Rails branches prior to 8.1.2.1, 8.0.4.1, and 7.2.3.1. Actions: upgrade to the patched release corresponding to your current major branch, and as interim mitigation consider WAF rules restricting Range headers on Active Storage endpoints and rejecting scientific notation patterns in numeric input fields.