This content originally appeared on DEV Community and was authored by CVE Reports
CVE-2026-33167: Cross-Site Scripting (XSS) in Ruby on Rails Action Pack Debug Exceptions
Vulnerability ID: CVE-2026-33167
CVSS Score: 1.3
Published: 2026-03-23
Action Pack is a Rubygem for building web applications on the Rails framework. In versions on the 8.1 branch prior to 8.1.2.1, the debug exceptions page does not properly escape exception messages. A carefully crafted exception message could inject arbitrary HTML and JavaScript into the page, leading to Cross-Site Scripting (XSS). This affects applications with detailed exception pages enabled, which is the default in development environments.
TL;DR
Ruby on Rails Action Pack versions 8.1.0 through 8.1.2 contain a Cross-Site Scripting vulnerability in the debug exceptions page. Attackers can execute arbitrary JavaScript by reflecting crafted input into an unhandled exception message.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-79
- Attack Vector: Network
- CVSS v4.0 Score: 1.3
- Exploit Status: Proof of Concept
- CISA KEV: No
- Authentication Required: None
Affected Systems
- Ruby on Rails Action Pack
- Ruby on Rails Web Applications
-
rails: >= 8.1.0, < 8.1.2.1 (Fixed in:
8.1.2.1)
Code Analysis
Commit: 6752711
Fix XSS vulnerability in debug exceptions template by removing the raw helper.
Exploit Details
- Official Rails Test Suite: Functional proof of concept within actionpack/test/dispatch/debug_exceptions_test.rb
Mitigation Strategies
- Upgrade the Action Pack and Rails framework dependencies to a patched version.
- Ensure production environments disable detailed exception reporting.
- Deploy Web Application Firewall (WAF) rules to detect and block explicit HTML tag injection in parameters.
Remediation Steps:
- Modify the application's Gemfile to require rails >= 8.1.2.1.
- Run
bundle update railsto fetch and install the patched dependencies. - Verify that
config.consider_all_requests_local = falseis explicitly set inconfig/environments/production.rb. - Restart the application server to apply the updated middleware logic.
References
- GitHub Advisory: GHSA-pgm4-439c-5jp6
- Fix Commit: 6752711c8c31d79ba50d13af6a6698a3b85415e0
- Rails Release Tag: v8.1.2.1
- CVE.org Record
Read the full report for CVE-2026-33167 on our website for more details including interactive diagrams and full exploit analysis.
This content originally appeared on DEV Community and was authored by CVE Reports
CVE Reports | Sciencx (2026-03-23T23:10:06+00:00) CVE-2026-33167: CVE-2026-33167: Cross-Site Scripting (XSS) in Ruby on Rails Action Pack Debug Exceptions. Retrieved from https://www.scien.cx/2026/03/23/cve-2026-33167-cve-2026-33167-cross-site-scripting-xss-in-ruby-on-rails-action-pack-debug-exceptions/
Please log in to upload a file.
There are no updates yet.
Click the Upload button above to add an update.