CVE-2026-33167 — Cross-site Scripting in Rails Actionpack

CWE-79 — Cross-site Scripting8 documents7 sources

Severity

1.3LOWNVD

EPSS

0.0%

top 95.05%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Actionpack Project Actionpack Rails Actionpack

Timeline

PublishedMar 23

Description

Action Pack is a Rubygem for building web applications on the Rails framework. In versions on the 8.1 branch prior to 8.1.2.1, the debug exceptions page does not properly escape exception messages. A carefully crafted exception message could inject arbitrary HTML and JavaScript into the page, leading to XSS. This affects applications with detailed exception pages enabled (`config.consider_all_requests_local = true`), which is the default in development. Version 8.1.2.1 contains a patch.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Affected Packages2 packages

▶CVEListV5rails/actionpack>= 8.1.0, < 8.1.2.1

▶RubyGemsactionpack_project/actionpack8.1.0 — 8.1.2.1

🔴Vulnerability Details

OSV

CVE-2026-33167: Action Pack is a Rubygem for building web applications on the Rails framework↗2026-03-23

▶

OSV

Rails has a possible XSS vulnerability in its Action Pack debug exceptions↗2026-03-23

▶

GHSA

Rails has a possible XSS vulnerability in its Action Pack debug exceptions↗2026-03-23

▶

CVEList

Rails has a possible XSS vulnerability in its Action Pack debug exceptions↗2026-03-23

▶

📋Vendor Advisories

Red Hat

Rails: Action Pack: Action Pack: Cross-Site Scripting (XSS) via improper exception message escaping↗2026-03-23

▶

Debian

CVE-2026-33167: rails - Action Pack is a Rubygem for building web applications on the Rails framework. I...↗2026

▶

🕵️Threat Intelligence

Wiz

CVE-2026-33167 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶