CVE-2026-33167: CVE-2026-33167: Cross-Site Scripting (XSS) in Ruby on Rails Action Pack Debug Exceptions

CVE-2026-33167: Cross-Site Scripting (XSS) in Ruby on Rails Action Pack Debug Exceptions

Vulnerability ID: CVE-2026-33167
CVSS Score: 1.3
Published: 2026-03-23

Action Pack is a Rubygem for building web applications on the Rails framework….


This content originally appeared on DEV Community and was authored by CVE Reports

CVE-2026-33167: Cross-Site Scripting (XSS) in Ruby on Rails Action Pack Debug Exceptions

Vulnerability ID: CVE-2026-33167
CVSS Score: 1.3
Published: 2026-03-23

Action Pack is a Rubygem for building web applications on the Rails framework. In versions on the 8.1 branch prior to 8.1.2.1, the debug exceptions page does not properly escape exception messages. A carefully crafted exception message could inject arbitrary HTML and JavaScript into the page, leading to Cross-Site Scripting (XSS). This affects applications with detailed exception pages enabled, which is the default in development environments.

TL;DR

Ruby on Rails Action Pack versions 8.1.0 through 8.1.2 contain a Cross-Site Scripting vulnerability in the debug exceptions page. Attackers can execute arbitrary JavaScript by reflecting crafted input into an unhandled exception message.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-79
  • Attack Vector: Network
  • CVSS v4.0 Score: 1.3
  • Exploit Status: Proof of Concept
  • CISA KEV: No
  • Authentication Required: None

Affected Systems

  • Ruby on Rails Action Pack
  • Ruby on Rails Web Applications
  • rails: >= 8.1.0, < 8.1.2.1 (Fixed in: 8.1.2.1)

Code Analysis

Commit: 6752711

Fix XSS vulnerability in debug exceptions template by removing the raw helper.

Exploit Details

Mitigation Strategies

  • Upgrade the Action Pack and Rails framework dependencies to a patched version.
  • Ensure production environments disable detailed exception reporting.
  • Deploy Web Application Firewall (WAF) rules to detect and block explicit HTML tag injection in parameters.

Remediation Steps:

  1. Modify the application's Gemfile to require rails >= 8.1.2.1.
  2. Run bundle update rails to fetch and install the patched dependencies.
  3. Verify that config.consider_all_requests_local = false is explicitly set in config/environments/production.rb.
  4. Restart the application server to apply the updated middleware logic.

References

Read the full report for CVE-2026-33167 on our website for more details including interactive diagrams and full exploit analysis.


This content originally appeared on DEV Community and was authored by CVE Reports


Print Share Comment Cite Upload Translate Updates
APA

CVE Reports | Sciencx (2026-03-23T23:10:06+00:00) CVE-2026-33167: CVE-2026-33167: Cross-Site Scripting (XSS) in Ruby on Rails Action Pack Debug Exceptions. Retrieved from https://www.scien.cx/2026/03/23/cve-2026-33167-cve-2026-33167-cross-site-scripting-xss-in-ruby-on-rails-action-pack-debug-exceptions/

MLA
" » CVE-2026-33167: CVE-2026-33167: Cross-Site Scripting (XSS) in Ruby on Rails Action Pack Debug Exceptions." CVE Reports | Sciencx - Monday March 23, 2026, https://www.scien.cx/2026/03/23/cve-2026-33167-cve-2026-33167-cross-site-scripting-xss-in-ruby-on-rails-action-pack-debug-exceptions/
HARVARD
CVE Reports | Sciencx Monday March 23, 2026 » CVE-2026-33167: CVE-2026-33167: Cross-Site Scripting (XSS) in Ruby on Rails Action Pack Debug Exceptions., viewed ,<https://www.scien.cx/2026/03/23/cve-2026-33167-cve-2026-33167-cross-site-scripting-xss-in-ruby-on-rails-action-pack-debug-exceptions/>
VANCOUVER
CVE Reports | Sciencx - » CVE-2026-33167: CVE-2026-33167: Cross-Site Scripting (XSS) in Ruby on Rails Action Pack Debug Exceptions. [Internet]. [Accessed ]. Available from: https://www.scien.cx/2026/03/23/cve-2026-33167-cve-2026-33167-cross-site-scripting-xss-in-ruby-on-rails-action-pack-debug-exceptions/
CHICAGO
" » CVE-2026-33167: CVE-2026-33167: Cross-Site Scripting (XSS) in Ruby on Rails Action Pack Debug Exceptions." CVE Reports | Sciencx - Accessed . https://www.scien.cx/2026/03/23/cve-2026-33167-cve-2026-33167-cross-site-scripting-xss-in-ruby-on-rails-action-pack-debug-exceptions/
IEEE
" » CVE-2026-33167: CVE-2026-33167: Cross-Site Scripting (XSS) in Ruby on Rails Action Pack Debug Exceptions." CVE Reports | Sciencx [Online]. Available: https://www.scien.cx/2026/03/23/cve-2026-33167-cve-2026-33167-cross-site-scripting-xss-in-ruby-on-rails-action-pack-debug-exceptions/. [Accessed: ]
rf:citation
» CVE-2026-33167: CVE-2026-33167: Cross-Site Scripting (XSS) in Ruby on Rails Action Pack Debug Exceptions | CVE Reports | Sciencx | https://www.scien.cx/2026/03/23/cve-2026-33167-cve-2026-33167-cross-site-scripting-xss-in-ruby-on-rails-action-pack-debug-exceptions/ |

Please log in to upload a file.




There are no updates yet.
Click the Upload button above to add an update.

You must be logged in to translate posts. Please log in or register.