CVE-2026-33170Cross-site Scripting in Rails Activesupport

CWE-79Cross-site Scripting8 documents7 sources
Severity
5.3MEDIUMNVD
EPSS
0.0%
top 97.84%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Rails ActivesupportRubyonrails Rails
Timeline
PublishedMar 24

Description

Active Support is a toolkit of support libraries and Ruby core extensions extracted from the Rails framework. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, `SafeBuffer#%` does not propagate the `@html_unsafe` flag to the newly created buffer. If a `SafeBuffer` is mutated in place (e.g. via `gsub!`) and then formatted with `%` using untrusted arguments, the result incorrectly reports `html_safe? == true`, bypassing ERB auto-escaping and possibly leading to XSS. Versions 8.1.2.1, 8.0.4.1, and 7

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Affected Packages2 packages

CVEListV5rails/activesupport< 7.2.3.1+2
NVDrubyonrails/rails8.0.08.0.4.1+2

Patches

Patch: github.comPatch: github.comPatch: github.com

🔴Vulnerability Details

4
OSV
CVE-2026-33170: Active Support is a toolkit of support libraries and Ruby core extensions extracted from the Rails framework2026-03-24
OSV
Rails Active Support has a possible XSS vulnerability in SafeBuffer#%2026-03-23
GHSA
Rails Active Support has a possible XSS vulnerability in SafeBuffer#%2026-03-23
CVEList
Rails Active Support has a possible XSS vulnerability in SafeBuffer#%2026-03-23

📋Vendor Advisories

2
Red Hat
Rails: Active Support: Active Support: Cross-Site Scripting (XSS) due to improper HTML safety flag propagation in SafeBuffer#%2026-03-23
Debian
CVE-2026-33170: rails - Active Support is a toolkit of support libraries and Ruby core extensions extrac...2026

🕵️Threat Intelligence

1
Wiz
CVE-2026-33170 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2026-33170 — Cross-site Scripting in Rails | cvebase