Low severityNVD Advisory· Published Mar 23, 2026· Updated Apr 16, 2026
CVE-2026-33168
CVE-2026-33168
Description
Action View provides conventions and helpers for building web pages with the Rails framework. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, when a blank string is used as an HTML attribute name in Action View tag helpers, the attribute escaping is bypassed, producing malformed HTML. A carefully crafted attribute value could then be misinterpreted by the browser as a separate attribute name, possibly leading to XSS. Applications that allow users to specify custom HTML attributes are affected. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a patch.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
actionviewRubyGems | >= 8.1.0.beta1, < 8.1.2.1 | 8.1.2.1 |
actionviewRubyGems | >= 8.0.0.beta1, < 8.0.4.1 | 8.0.4.1 |
actionviewRubyGems | < 7.2.3.1 | 7.2.3.1 |
Affected products
9- osv-coords8 versionspkg:apk/chainguard/gitlab-rails-ce-18.10pkg:apk/chainguard/gitlab-rails-ce-fips-18.10pkg:apk/chainguard/gitlab-rails-ce-fips-18.9pkg:apk/chainguard/ruby3.2-rails-8.1pkg:apk/chainguard/ruby3.4-rails-8.0pkg:apk/wolfi/ruby3.2-rails-8.1pkg:apk/wolfi/ruby3.4-rails-8.0pkg:gem/actionview
< 18.10.3-r1+ 7 more
- (no CPE)range: < 18.10.3-r1
- (no CPE)range: < 18.10.3-r0
- (no CPE)range: < 18.9.5-r0
- (no CPE)range: < 8.1.3-r0
- (no CPE)range: < 8.0.5-r0
- (no CPE)range: < 8.1.3-r0
- (no CPE)range: < 8.0.5-r0
- (no CPE)range: >= 8.1.0.beta1, < 8.1.2.1
Patches
Vulnerability mechanics
References
10- github.com/advisories/GHSA-v55j-83pf-r9cqghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-33168ghsaADVISORY
- github.com/rails/rails/commit/0b6f8002b52b9c606fd6be9e7915d9f944cf539cnvdWEB
- github.com/rails/rails/commit/63f5ad83edaa0b976f82d46988d745426aa4a42dnvdWEB
- github.com/rails/rails/commit/c79a07df1e88738df8f68cb0ee759ad6128ca924nvdWEB
- github.com/rails/rails/releases/tag/v7.2.3.1nvdWEB
- github.com/rails/rails/releases/tag/v8.0.4.1nvdWEB
- github.com/rails/rails/releases/tag/v8.1.2.1nvdWEB
- github.com/rails/rails/security/advisories/GHSA-v55j-83pf-r9cqnvdWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/actionview/CVE-2026-33168.ymlghsaWEB
News mentions
0No linked articles in our index yet.