anonhaven
Ad

CVE-2026-33167

LOW CVSS 4.0: 1.3 EPSS 0.02%
Updated Mar 24, 2026
Rails
Parameter Value
CVSS 1.3 (LOW)
Affected Versions before 8.1.2.1
Type CWE-79 (Cross-Site Scripting (XSS))
Vendor Rails
Public PoC No

Action Pack is a Rubygem for building web applications on the Rails framework. In versions on the 8.1 branch prior to 8.1.2.1, the debug exceptions page does not properly escape exception messages. A carefully crafted exception message could inject arbitrary HTML and JavaScript into the page, leading to XSS.

This affects applications with detailed exception pages enabled (`config.consider_all_requests_local = true`), which is the default in development. Version 8.1.2.1 contains a patch.

Attack Parameters

Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Attack Requirements
None
No additional conditions
Privileges Required
None
No privileges needed
User Interaction
Passive
Minimal interaction

Impact Assessment

Confidentiality
None
No data leak
Integrity
None
No data modification
Availability
None
No disruption

CVSS Vector v4.0

Weakness Type (CWE)

CWE-79 Cross-Site Scripting (XSS)

References 3

https://github.com/rails/rails/commit/6752711c8c31d79ba50d13af6a6698a3b85415e0
security-advisories@github.com
https://github.com/rails/rails/releases/tag/v8.1.2.1
security-advisories@github.com
https://github.com/rails/rails/security/advisories/GHSA-pgm4-439c-5jp6
security-advisories@github.com
Share Post Share Share Share

Related Vulnerabilities

CVE-2026-33868

Joinmastodon

6.1

CVE-2026-33658

Rails

2.3

CVE-2026-33286

Rails

9.1

CVE-2026-33202

Rubyonrails

6.6

CVE-2026-33195

Rubyonrails

8.0