Injection Vulnerability
The Chartkick gem for Ruby allows Cascading Style Sheets (CSS) Injection (without attribute).
Advisories for Gem/Chartkick package
2020
2019
Prototype Pollution
Chartkick.js, as used in the Chartkick gem for Ruby, allows prototype pollution.
Cross-site Scripting
The Chartkick gem for Ruby allows XSS.