Hi @levpachmanov, I don't agree with setting a minimum vulnerable version based on the contents of https://github.com/rails/rails/blob/v3.0.20/activerecord/lib/active_record.rb. I found fix commits for versions [7.03.1](https://github.com/rails/rails/commit/9529dc844e001c03931e3579a03b89713d9c236f), [6.1.6.1](https://github.com/rails/rails/commit/8ce4bd1be83c08c30c34af4d0f1a726066128176), [6.0.5.1](https://github.com/rails/rails/commit/d28f278788b599c0a9f6e3ea437c6642eb56f16c), and [5.2.8.1](https://github.com/rails/rails/commit/6576aa7bbcf52ebd39853363e29f92b4dd53b6f1), and of those, only the fix commits corresponding the the `7.1` and `7.0` branches made any changes to `active_record.rb`. I think it's more likely that change in a different file would cause CVE-2022-32224. Can you find a change that's consistent with all of the fix commits and where the vulnerable code was introduced in the repo? · Issue #7548 · github/advisory-database