CVE-2026-33167: Cross-Site Scripting (XSS) in Ruby on Rails Action Pack Debug Exceptions
Vulnerability ID: CVE-2026-33167
CVSS Score: 1.3
Published: 2026-03-23
Action Pack is a Rubygem for building web applications on the Rails framework. In versions on the 8.1 branch prior to 8.1.2.1, the debug exceptions page does not properly escape exception messages. A carefully crafted exception message could inject arbitrary HTML and JavaScript into the page, leading to Cross-Site Scripting (XSS). This affects applications with detailed exception pages enabled, which is the default in development environments.
TL;DR
Ruby on Rails Action Pack versions 8.1.0 through 8.1.2 contain a Cross-Site Scripting vulnerability in the debug exceptions page. Attackers can execute arbitrary JavaScript by reflecting crafted input into an unhandled exception message.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-79
- Attack Vector: Network
- CVSS v4.0 Score: 1.3
- Exploit Status: Proof of Concept
- CISA KEV: No
- Authentication Required: None
Affected Systems
- Ruby on Rails Action Pack
- Ruby on Rails Web Applications
-
rails: >= 8.1.0, < 8.1.2.1 (Fixed in:
8.1.2.1)
Code Analysis
Commit: 6752711
Fix XSS vulnerability in debug exceptions template by removing the raw helper.
Exploit Details
- Official Rails Test Suite: Functional proof of concept within actionpack/test/dispatch/debug_exceptions_test.rb
Mitigation Strategies
- Upgrade the Action Pack and Rails framework dependencies to a patched version.
- Ensure production environments disable detailed exception reporting.
- Deploy Web Application Firewall (WAF) rules to detect and block explicit HTML tag injection in parameters.
Remediation Steps:
- Modify the application's Gemfile to require rails >= 8.1.2.1.
- Run
bundle update railsto fetch and install the patched dependencies. - Verify that
config.consider_all_requests_local = falseis explicitly set inconfig/environments/production.rb. - Restart the application server to apply the updated middleware logic.
References
- GitHub Advisory: GHSA-pgm4-439c-5jp6
- Fix Commit: 6752711c8c31d79ba50d13af6a6698a3b85415e0
- Rails Release Tag: v8.1.2.1
- CVE.org Record
Read the full report for CVE-2026-33167 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)