CVE-2026-33167: CVE-2026-33167: Cross-Site Scripting (XSS) in Ruby on Rails Action Pack Debug Exceptions
Source: Dev.to
CVE-2026-33167: Cross-Site Scripting (XSS) in Ruby on Rails Action Pack Debug Exceptions
Vulnerability ID: CVE-2026-33167
CVSS Score: 1.3
Published: 2026-03-23
Action Pack is a Rubygem for building web applications on the Rails framework. In versions on the 8.1 branch prior to 8.1.2.1, the debug exceptions page does not properly escape exception messages. A carefully crafted exception message could inject arbitrary HTML and JavaScript into the page, leading to Cross‑Site Scripting (XSS). This affects applications with detailed exception pages enabled, which is the default in development environments.
TL;DR
Ruby on Rails Action Pack versions 8.1.0 through 8.1.2 contain a Cross‑Site Scripting vulnerability in the debug exceptions page. Attackers can execute arbitrary JavaScript by reflecting crafted input into an unhandled exception message.
Technical Details
- CWE ID: CWE-79
- Attack Vector: Network
- CVSS v4.0 Score: 1.3
- Exploit Status: Proof of Concept
- CISA KEV: No
- Authentication Required: None
Affected Systems
- Ruby on Rails Action Pack
- Ruby on Rails Web Applications
Version range: >= 8.1.0, = 8.1.2.1.
2. Run bundle update rails to fetch and install the patched dependencies.
3. Verify that config.consider_all_requests_local = false is explicitly set in config/environments/production.rb.
4. Restart the application server to apply the updated middleware logic.