-
-
Notifications
You must be signed in to change notification settings - Fork 231
Expand file tree
/
Copy pathCVE-2026-33167.yml
More file actions
27 lines (26 loc) · 1.03 KB
/
CVE-2026-33167.yml
File metadata and controls
27 lines (26 loc) · 1.03 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
---
gem: actionpack
framework: rails
cve: 2026-33167
ghsa: pgm4-439c-5jp6
url: https://github.com/rails/rails/security/advisories/GHSA-pgm4-439c-5jp6
title: Rails has a possible XSS vulnerability in its Action Pack debug exceptions
date: 2026-03-23
description: |
### Impact
The debug exceptions page does not properly escape exception messages.
A carefully crafted exception message could inject arbitrary HTML and JavaScript into the page, leading to XSS.
This affects applications with detailed exception pages enabled (`config.consider_all_requests_local = true`),
which is the default in development.
### Releases
The fixed releases are available at the normal locations.
unaffected_versions:
- "< 8.1.0"
patched_versions:
- ">= 8.1.2.1"
related:
url:
- https://github.com/rails/rails/security/advisories/GHSA-pgm4-439c-5jp6
- https://github.com/rails/rails/commit/6752711c8c31d79ba50d13af6a6698a3b85415e0
- https://github.com/rails/rails/releases/tag/v8.1.2.1
- https://github.com/advisories/GHSA-pgm4-439c-5jp6