Moderate severityNVD Advisory· Published Mar 23, 2026· Updated Mar 25, 2026
Rails Active Support has a possible XSS vulnerability in SafeBuffer#%
CVE-2026-33170
Description
Active Support is a toolkit of support libraries and Ruby core extensions extracted from the Rails framework. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, SafeBuffer#% does not propagate the @html_unsafe flag to the newly created buffer. If a SafeBuffer is mutated in place (e.g. via gsub!) and then formatted with % using untrusted arguments, the result incorrectly reports html_safe? == true, bypassing ERB auto-escaping and possibly leading to XSS. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a patch.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
activesupportRubyGems | >= 8.1.0.beta1, < 8.1.2.1 | 8.1.2.1 |
activesupportRubyGems | >= 8.0.0.beta1, < 8.0.4.1 | 8.0.4.1 |
activesupportRubyGems | < 7.2.3.1 | 7.2.3.1 |
Affected products
15- osv-coords14 versionspkg:apk/chainguard/cinc-auditorpkg:apk/chainguard/gitlab-rails-ce-18.10pkg:apk/chainguard/gitlab-rails-ce-fips-18.10pkg:apk/chainguard/gitlab-rails-ce-fips-18.9pkg:apk/chainguard/kube-fluentd-operatorpkg:apk/chainguard/kube-logging-operator-fluentd-outputspkg:apk/chainguard/ruby3.2-rails-8.1pkg:apk/chainguard/ruby3.4-rails-8.0pkg:apk/wolfi/cinc-auditorpkg:apk/wolfi/kube-fluentd-operatorpkg:apk/wolfi/kube-logging-operator-fluentd-outputspkg:apk/wolfi/ruby3.2-rails-8.1pkg:apk/wolfi/ruby3.4-rails-8.0pkg:gem/activesupport
< 7.0.107-r1+ 13 more
- (no CPE)range: < 7.0.107-r1
- (no CPE)range: < 18.10.3-r1
- (no CPE)range: < 18.10.3-r0
- (no CPE)range: < 18.9.5-r0
- (no CPE)range: < 1.18.2-r60
- (no CPE)range: < 6.4.0-r9
- (no CPE)range: < 8.1.3-r0
- (no CPE)range: < 8.0.5-r0
- (no CPE)range: < 7.0.107-r1
- (no CPE)range: < 1.18.2-r60
- (no CPE)range: < 6.4.0-r9
- (no CPE)range: < 8.1.3-r0
- (no CPE)range: < 8.0.5-r0
- (no CPE)range: >= 8.1.0.beta1, < 8.1.2.1
- Range: >= 8.1.0.beta1, < 8.1.2.1
Patches
Vulnerability mechanics
References
10- github.com/advisories/GHSA-89vf-4333-qx8vghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-33170ghsaADVISORY
- github.com/rails/rails/commit/50d732af3b7c8aaf63cbcca0becbc00279b215b7ghsax_refsource_MISCWEB
- github.com/rails/rails/commit/6e8a81108001d58043de9e54a06fca58962fc2dbghsax_refsource_MISCWEB
- github.com/rails/rails/commit/c1ad0e8e1972032f3395853a5e99cea035035bebghsax_refsource_MISCWEB
- github.com/rails/rails/releases/tag/v7.2.3.1ghsax_refsource_MISCWEB
- github.com/rails/rails/releases/tag/v8.0.4.1ghsax_refsource_MISCWEB
- github.com/rails/rails/releases/tag/v8.1.2.1ghsax_refsource_MISCWEB
- github.com/rails/rails/security/advisories/GHSA-89vf-4333-qx8vghsax_refsource_CONFIRMWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/activesupport/CVE-2026-33170.ymlghsaWEB
News mentions
0No linked articles in our index yet.