CVE-2026-33168 — Cross-site Scripting in Rails Actionview

CWE-79 — Cross-site Scripting8 documents7 sources

Severity

2.3LOWNVD

EPSS

0.0%

top 93.80%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Rails Actionview

Timeline

PublishedMar 23

Description

Action View provides conventions and helpers for building web pages with the Rails framework. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, when a blank string is used as an HTML attribute name in Action View tag helpers, the attribute escaping is bypassed, producing malformed HTML. A carefully crafted attribute value could then be misinterpreted by the browser as a separate attribute name, possibly leading to XSS. Applications that allow users to specify custom HTML attributes are affected. …

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Affected Packages2 packages

▶CVEListV5rails/actionview< 7.2.3.1+2

▶RubyGemsrails/actionview8.1.0.beta1 — 8.1.2.1+2

🔴Vulnerability Details

GHSA

Rails has a possible XSS vulnerability in its Action View tag helpers↗2026-03-23

▶

OSV

CVE-2026-33168: Action View provides conventions and helpers for building web pages with the Rails framework↗2026-03-23

▶

CVEList

Rails has a possible XSS vulnerability in its Action View tag helpers↗2026-03-23

▶

OSV

Rails has a possible XSS vulnerability in its Action View tag helpers↗2026-03-23

▶

📋Vendor Advisories

Red Hat

actionview: Action View: Cross-Site Scripting (XSS) via blank HTML attribute names↗2026-03-23

▶

Debian

CVE-2026-33168: rails - Action View provides conventions and helpers for building web pages with the Rai...↗2026

▶

🕵️Threat Intelligence

Wiz

CVE-2026-33168 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶