Rails has a possible XSS vulnerability in its Action Pack debug exceptions
Description
Action Pack is a Rubygem for building web applications on the Rails framework. In versions on the 8.1 branch prior to 8.1.2.1, the debug exceptions page does not properly escape exception messages. A carefully crafted exception message could inject arbitrary HTML and JavaScript into the page, leading to XSS. This affects applications with detailed exception pages enabled (config.consider_all_requests_local = true), which is the default in development. Version 8.1.2.1 contains a patch.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Action Pack 8.1.x before 8.1.2.1.2.1 has an XSS vulnerability in the debug exceptions page due to unescaped exception messages.
Vulnerability
Overview
CVE-2026-33167 is a cross-site scripting (XSS) vulnerability in the Action Pack Ruby gem, part of the Ruby on Rails framework. The bug resides in the debug exceptions page, which fails to properly escape exception messages before rendering them. A carefully crafted exception message can inject arbitrary HTML and JavaScript into the page, leading to XSS [1][2].
Exploitation
Exploitation requires that detailed exception pages are enabled (config.consider_all_requests_local = true), which is the default in development environments. An attacker who can trigger an exception with a malicious message (e.g., via crafted input that becomes part of an exception) can inject script content into the debug page. The attack vector is network-based, with low attack complexity and no special privileges required [1].
Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the developer's browser session. This can lead to theft of session cookies, credentials, or other sensitive data, or to further attacks against the development environment [1][2].
Mitigation
The vulnerability is patched in Action Pack version 8.1.2.1. Users on the 8.1 branch should upgrade immediately. No workarounds are mentioned in the advisory [1][4].
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
actionpackRubyGems | >= 8.1.0, < 8.1.2.1 | 8.1.2.1 |
Affected products
2- rails/actionpackv5Range: >= 8.1.0, < 8.1.2.1
Patches
16752711c8c31Fix XSS in debug exceptions copy-to-clipboard
2 files changed · +13 −2
actionpack/lib/action_dispatch/middleware/templates/rescues/layout.erb+1 −1 modified@@ -328,7 +328,7 @@ <body> <%= yield %> - <script type="text/plain" id="exception-message-for-copy"><%= raw @exception_message_for_copy %></script> + <script type="text/plain" id="exception-message-for-copy"><%= @exception_message_for_copy %></script> </body> </html>
actionpack/test/dispatch/debug_exceptions_test.rb+12 −1 modified@@ -128,6 +128,8 @@ def call(env) rescue Exception raise ActionView::Template::Error.new(template) end + when "/xss_error" + raise "x</script><script>alert(1)</script>" else raise "puke!" end @@ -937,6 +939,16 @@ def self.build_app(app, *args) assert_select "#container code", /undefined local variable or method ['`]string”'/ end + test "exception message is escaped in copy-to-clipboard script tag" do + @app = DevelopmentApp + + get "/xss_error", headers: { "action_dispatch.show_exceptions" => :all } + assert_response 500 + + assert_no_match "<script>alert(1)</script>", body + assert_match "<script>alert(1)</script>", body + end + test "includes copy button in error pages" do @app = DevelopmentApp @@ -957,7 +969,6 @@ def self.build_app(app, *args) assert_response 500 assert_no_match %r{<button}, body - assert_no_match %r{<script}, body end test "exception message includes causes for nested exceptions" do
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-pgm4-439c-5jp6ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-33167ghsaADVISORY
- github.com/rails/rails/commit/6752711c8c31d79ba50d13af6a6698a3b85415e0ghsax_refsource_MISCWEB
- github.com/rails/rails/releases/tag/v8.1.2.1ghsax_refsource_MISCWEB
- github.com/rails/rails/security/advisories/GHSA-pgm4-439c-5jp6ghsax_refsource_CONFIRMWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2026-33167.ymlghsaWEB
News mentions
0No linked articles in our index yet.