Low severityNVD Advisory· Published Mar 23, 2026· Updated Mar 24, 2026
Rails has a possible XSS vulnerability in its Action Pack debug exceptions
CVE-2026-33167
Description
Action Pack is a Rubygem for building web applications on the Rails framework. In versions on the 8.1 branch prior to 8.1.2.1, the debug exceptions page does not properly escape exception messages. A carefully crafted exception message could inject arbitrary HTML and JavaScript into the page, leading to XSS. This affects applications with detailed exception pages enabled (config.consider_all_requests_local = true), which is the default in development. Version 8.1.2.1 contains a patch.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
actionpackRubyGems | >= 8.1.0, < 8.1.2.1 | 8.1.2.1 |
Affected products
4- osv-coords3 versions
< 8.1.3-r0+ 2 more
- (no CPE)range: < 8.1.3-r0
- (no CPE)range: < 8.1.3-r0
- (no CPE)range: >= 8.1.0, < 8.1.2.1
- Range: >= 8.1.0, < 8.1.2.1
Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-pgm4-439c-5jp6ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-33167ghsaADVISORY
- github.com/rails/rails/commit/6752711c8c31d79ba50d13af6a6698a3b85415e0ghsax_refsource_MISCWEB
- github.com/rails/rails/releases/tag/v8.1.2.1ghsax_refsource_MISCWEB
- github.com/rails/rails/security/advisories/GHSA-pgm4-439c-5jp6ghsax_refsource_CONFIRMWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2026-33167.ymlghsaWEB
News mentions
0No linked articles in our index yet.