DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-33168: CVE-2026-33168: Cross-Site Scripting (XSS) via Attribute Injection in Rails Action View

#security #cve #cybersecurity

CVE-2026-33168: Cross-Site Scripting (XSS) via Attribute Injection in Rails Action View

Vulnerability ID: CVE-2026-33168
CVSS Score: 2.3
Published: 2026-03-23

CVE-2026-33168 is a Cross-Site Scripting (XSS) vulnerability in the Action View component of Ruby on Rails. The flaw stems from insufficient validation of HTML attribute keys in the TagHelper#tag_options method. When rendering tags with user-controlled attribute hashes, empty or blank keys bypass escaping mechanisms, allowing attackers to inject arbitrary HTML attributes and execute malicious JavaScript in the victim's browser context.

TL;DR

A low-severity XSS flaw in Rails Action View allows attackers to inject malicious HTML attributes by passing blank keys to tag helpers.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-79
  • Attack Vector: Network
  • CVSS 4.0 Score: 2.3
  • Impact: Cross-Site Scripting (XSS)
  • Exploit Status: Proof of Concept
  • KEV Status: Not Listed

Affected Systems

  • Ruby on Rails
  • Action View component
  • actionview: < 7.2.3.1 (Fixed in: 7.2.3.1)
  • actionview: >= 8.0.0.beta1, < 8.0.4.1 (Fixed in: 8.0.4.1)
  • actionview: >= 8.1.0.beta1, < 8.1.2.1 (Fixed in: 8.1.2.1)

Code Analysis

Commit: 63f5ad8

Fix possible XSS vulnerability in Action View tag helpers (v8.1.x)

@@ -237,16 +237,19 @@ def tag_options(options, escape = true) # :nodoc:
           output = +""
           sep    = " "
           options.each_pair do |key, value|
+            next if key.blank?
+
             type = TAG_TYPES[key]
             if type == :data && value.is_a?(Hash)
               value.each_pair do |k, v|
-                next if v.nil?
+                next if k.blank? || v.nil?
+
                 output << sep
                 output << prefix_tag_option(key, k, v, escape)
               end
             elsif type == :aria && value.is_a?(Hash)
               value.each_pair do |k, v|
-                next if v.nil?
+                next if k.blank? || v.nil?
Enter fullscreen mode Exit fullscreen mode

Commit: c79a07d

Fix possible XSS vulnerability in Action View tag helpers (v8.0.x)

Commit: 0b6f800

Fix possible XSS vulnerability in Action View tag helpers (v7.2.x)

Mitigation Strategies

  • Upgrade actionview gem to a non-vulnerable version.
  • Audit application codebase for dynamic HTML attribute generation using external input.
  • Implement strong validation and strict key allowlisting for dynamic tag helper attributes.
  • Deploy static application security testing (SAST) to detect untrusted hash keys passed to tag helpers.

Remediation Steps:

  1. Identify the current version of Action View/Rails in the project Gemfile.
  2. Update the Gemfile to specify version 7.2.3.1, 8.0.4.1, or 8.1.2.1.
  3. Execute bundle install or bundle update actionview in the application root directory.
  4. Run the full application test suite to verify no rendering regressions.
  5. Deploy the updated application to staging, verify UI functions, and proceed to production.

References

Read the full report for CVE-2026-33168 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)