Actionpack Project Actionpack vulnerabilities

CVE-2026-33167 [LOW] CWE-79 Rails has a possible XSS vulnerability in its Action Pack debug exceptions Rails has a possible XSS vulnerability in its Action Pack debug exceptions ### Impact The debug exceptions page does not properly escape exception messages. A carefully crafted exception message could inject arbitrary HTML and JavaScript into the page, leading to XSS. This affects applications with detailed exception pages enabled (`config.consider_all_requests_local = true`), which is the def

CVE-2023-28362 [MEDIUM] CWE-116 Actionpack has possible cross-site scripting vulnerability via User Supplied Values to redirect_to Actionpack has possible cross-site scripting vulnerability via User Supplied Values to redirect_to The `redirect_to` method in Rails allows provided values to contain characters which are not legal in an HTTP header value. This results in the potential for downstream services which enforce RFC compliance on HTTP response headers to remove the assigned Location heade

CVE-2024-54133 [LOW] CWE-79 Possible Content Security Policy bypass in Action Dispatch Possible Content Security Policy bypass in Action Dispatch There is a possible Cross Site Scripting (XSS) vulnerability in the `content_security_policy` helper in Action Pack. Impact Applications which set Content-Security-Policy (CSP) headers dynamically from untrusted user input may be vulnerable to carefully crafted inputs being able to inject new directives into the CSP. This could lead to a bypass of th