{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33167", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-17T21:17:08.888Z", "datePublished": "2026-03-23T22:58:53.577Z", "dateUpdated": "2026-03-23T23:18:56.415Z"}, "containers": {"cna": {"title": "Rails has a possible XSS vulnerability in its Action Pack debug exceptions", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "baseScore": 1.3, "baseSeverity": "LOW", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U", "version": "4.0"}}], "references": [{"name": "https://github.com/rails/rails/security/advisories/GHSA-pgm4-439c-5jp6", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/rails/rails/security/advisories/GHSA-pgm4-439c-5jp6"}, {"name": "https://github.com/rails/rails/commit/6752711c8c31d79ba50d13af6a6698a3b85415e0", "tags": ["x_refsource_MISC"], "url": "https://github.com/rails/rails/commit/6752711c8c31d79ba50d13af6a6698a3b85415e0"}, {"name": "https://github.com/rails/rails/releases/tag/v8.1.2.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/rails/rails/releases/tag/v8.1.2.1"}], "affected": [{"vendor": "rails", "product": "actionpack", "versions": [{"version": ">= 8.1.0, < 8.1.2.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-23T23:18:56.415Z"}, "descriptions": [{"lang": "en", "value": "Action Pack is a Rubygem for building web applications on the Rails framework. In versions on the 8.1 branch prior to 8.1.2.1, the debug exceptions page does not properly escape exception messages. A carefully crafted exception message could inject arbitrary HTML and JavaScript into the page, leading to XSS. This affects applications with detailed exception pages enabled (`config.consider_all_requests_local = true`), which is the default in development. Version 8.1.2.1 contains a patch."}], "source": {"advisory": "GHSA-pgm4-439c-5jp6", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Action Pack is a Rubygem for building web applications on the Rails framework. In versions on the 8.1 branch prior to 8.1.2.1, the debug exceptions page does not properly escape exception messages. A carefully crafted exception message could inject arbitrary HTML and JavaScript into the page, leading to XSS. This affects applications with detailed exception pages enabled (`config.consider_all_requests_local = true`), which is the default in development. Version 8.1.2.1 contains a patch."}], "id": "CVE-2026-33167", "lastModified": "2026-03-23T23:17:12.707", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 1.3, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "UNREPORTED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-23T23:17:12.707", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/rails/rails/commit/6752711c8c31d79ba50d13af6a6698a3b85415e0"}, {"source": "security-advisories@github.com", "url": "https://github.com/rails/rails/releases/tag/v8.1.2.1"}, {"source": "security-advisories@github.com", "url": "https://github.com/rails/rails/security/advisories/GHSA-pgm4-439c-5jp6"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{"bugzilla": {"description": "Rails: Action Pack: Action Pack: Cross-Site Scripting (XSS) via improper exception message escaping", "id": "2450552", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2450552"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.4", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "status": "draft"}, "cwe": "CWE-79", "details": ["A flaw was found in Action Pack, a component of the Rails framework. A remote attacker could exploit this vulnerability by crafting a malicious exception message. When this message is displayed on the debug exceptions page, the improper escaping of the message allows for the injection of arbitrary HTML and JavaScript, leading to Cross-Site Scripting (XSS). This primarily impacts applications with detailed exception pages enabled, which is the default setting in development environments."], "mitigation": {"lang": "en:us", "value": "To mitigate this issue, ensure that `config.consider_all_requests_local` is set to `false` in production environments for Rails applications. This configuration prevents the display of detailed exception pages, thereby eliminating the vector for this XSS vulnerability. This change may require a restart of the Rails application to take effect."}, "name": "CVE-2026-33167", "package_state": [{"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Fix deferred", "package_name": "rubygem-actionpack", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Fix deferred", "package_name": "satellite:el8/rubygem-actionpack", "product_name": "Red Hat Satellite 6"}], "public_date": "2026-03-23T22:58:53Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-33167\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-33167\nhttps://github.com/rails/rails/commit/6752711c8c31d79ba50d13af6a6698a3b85415e0\nhttps://github.com/rails/rails/releases/tag/v8.1.2.1\nhttps://github.com/rails/rails/security/advisories/GHSA-pgm4-439c-5jp6"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[8.1.0,8.1.2.1)"}}], "enrichment": {"confidence": 84.0, "confidence_source": "matching", "scores": [{"score": 84.0, "source": "matching"}]}, "original": {"product": "actionpack", "source": "cna", "vendor": "rails"}, "product": "actionpack", "vendor": "rubyonrails"}], "created": "2026-03-24T10:30:03.170699+00:00", "updated": "2026-03-24T10:30:03.170800+00:00", "vendors": ["rubyonrails", "rubyonrails$PRODUCT$actionpack"]}