{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33170", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-17T21:17:08.888Z", "datePublished": "2026-03-23T23:09:48.923Z", "dateUpdated": "2026-03-23T23:19:36.467Z"}, "containers": {"cna": {"title": "Rails Active Support has a possible XSS vulnerability in SafeBuffer#%", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/rails/rails/security/advisories/GHSA-89vf-4333-qx8v", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/rails/rails/security/advisories/GHSA-89vf-4333-qx8v"}, {"name": "https://github.com/rails/rails/commit/50d732af3b7c8aaf63cbcca0becbc00279b215b7", "tags": ["x_refsource_MISC"], "url": "https://github.com/rails/rails/commit/50d732af3b7c8aaf63cbcca0becbc00279b215b7"}, {"name": "https://github.com/rails/rails/commit/6e8a81108001d58043de9e54a06fca58962fc2db", "tags": ["x_refsource_MISC"], "url": "https://github.com/rails/rails/commit/6e8a81108001d58043de9e54a06fca58962fc2db"}, {"name": "https://github.com/rails/rails/commit/c1ad0e8e1972032f3395853a5e99cea035035beb", "tags": ["x_refsource_MISC"], "url": "https://github.com/rails/rails/commit/c1ad0e8e1972032f3395853a5e99cea035035beb"}, {"name": "https://github.com/rails/rails/releases/tag/v7.2.3.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/rails/rails/releases/tag/v7.2.3.1"}, {"name": "https://github.com/rails/rails/releases/tag/v8.0.4.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/rails/rails/releases/tag/v8.0.4.1"}, {"name": "https://github.com/rails/rails/releases/tag/v8.1.2.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/rails/rails/releases/tag/v8.1.2.1"}], "affected": [{"vendor": "rails", "product": "activesupport", "versions": [{"version": ">= 8.1.0.beta1, < 8.1.2.1", "status": "affected"}, {"version": ">= 8.0.0.beta1, < 8.0.4.1", "status": "affected"}, {"version": "< 7.2.3.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-23T23:19:36.467Z"}, "descriptions": [{"lang": "en", "value": "Active Support is a toolkit of support libraries and Ruby core extensions extracted from the Rails framework. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, `SafeBuffer#%` does not propagate the `@html_unsafe` flag to the newly created buffer. If a `SafeBuffer` is mutated in place (e.g. via `gsub!`) and then formatted with `%` using untrusted arguments, the result incorrectly reports `html_safe? == true`, bypassing ERB auto-escaping and possibly leading to XSS. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a patch."}], "source": {"advisory": "GHSA-89vf-4333-qx8v", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Active Support is a toolkit of support libraries and Ruby core extensions extracted from the Rails framework. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, `SafeBuffer#%` does not propagate the `@html_unsafe` flag to the newly created buffer. If a `SafeBuffer` is mutated in place (e.g. via `gsub!`) and then formatted with `%` using untrusted arguments, the result incorrectly reports `html_safe? == true`, bypassing ERB auto-escaping and possibly leading to XSS. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a patch."}], "id": "CVE-2026-33170", "lastModified": "2026-03-24T00:16:28.287", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-24T00:16:28.287", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/rails/rails/commit/50d732af3b7c8aaf63cbcca0becbc00279b215b7"}, {"source": "security-advisories@github.com", "url": "https://github.com/rails/rails/commit/6e8a81108001d58043de9e54a06fca58962fc2db"}, {"source": "security-advisories@github.com", "url": "https://github.com/rails/rails/commit/c1ad0e8e1972032f3395853a5e99cea035035beb"}, {"source": "security-advisories@github.com", "url": "https://github.com/rails/rails/releases/tag/v7.2.3.1"}, {"source": "security-advisories@github.com", "url": "https://github.com/rails/rails/releases/tag/v8.0.4.1"}, {"source": "security-advisories@github.com", "url": "https://github.com/rails/rails/releases/tag/v8.1.2.1"}, {"source": "security-advisories@github.com", "url": "https://github.com/rails/rails/security/advisories/GHSA-89vf-4333-qx8v"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "Rails: Active Support: Active Support: Cross-Site Scripting (XSS) due to improper HTML safety flag propagation in SafeBuffer#%", "id": "2450543", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2450543"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.4", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "status": "draft"}, "cwe": "CWE-79", "details": ["A flaw was found in Active Support, a toolkit of support libraries for the Rails framework. When a `SafeBuffer` is modified in place and subsequently formatted with untrusted input, the `@html_unsafe` flag is not correctly propagated. This improper handling causes the buffer to incorrectly report as safe, bypassing ERB auto-escaping. A remote attacker could exploit this Cross-Site Scripting (XSS) vulnerability to inject malicious scripts into web pages viewed by other users."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}, "name": "CVE-2026-33170", "package_state": [{"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Fix deferred", "package_name": "rubygem-activesupport", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Fix deferred", "package_name": "satellite:el8/rubygem-activesupport", "product_name": "Red Hat Satellite 6"}], "public_date": "2026-03-23T23:09:48Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-33170\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-33170\nhttps://github.com/rails/rails/commit/50d732af3b7c8aaf63cbcca0becbc00279b215b7\nhttps://github.com/rails/rails/commit/6e8a81108001d58043de9e54a06fca58962fc2db\nhttps://github.com/rails/rails/commit/c1ad0e8e1972032f3395853a5e99cea035035beb\nhttps://github.com/rails/rails/releases/tag/v7.2.3.1\nhttps://github.com/rails/rails/releases/tag/v8.0.4.1\nhttps://github.com/rails/rails/releases/tag/v8.1.2.1\nhttps://github.com/rails/rails/security/advisories/GHSA-89vf-4333-qx8v"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[8.1.0.beta1,8.1.2.1)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[8.0.0.beta1,8.0.4.1)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,7.2.3.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "activesupport", "source": "cna", "vendor": "rails"}, "product": "activesupport", "vendor": "rails"}], "created": "2026-03-24T10:29:59.286235+00:00", "updated": "2026-03-24T10:29:59.286319+00:00", "vendors": ["rails", "rails$PRODUCT$activesupport"]}