CVE-2026-33167

UNKNOWN 0.0

Rails has a possible XSS vulnerability in its Action Pack debug exceptions

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

3th

Action Pack is a Rubygem for building web applications on the Rails framework. In versions on the 8.1 branch prior to 8.1.2.1, the debug exceptions page does not properly escape exception messages. A carefully crafted exception message could inject arbitrary HTML and JavaScript into the page, leading to XSS. This affects applications with detailed exception pages enabled (`config.consider_all_requests_local = true`), which is the default in development. Version 8.1.2.1 contains a patch.

CWE	CWE-79
Vendor	rails
Product	actionpack
Published	Mar 23, 2026
Last Updated	Mar 24, 2026

Stay Ahead of the Next One

Get instant alerts for rails actionpack

Be the first to know when new unknown vulnerabilities affecting rails actionpack are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

rails / actionpack

>= 8.1.0, < 8.1.2.1

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/rails/rails/security/advisories/GHSA-pgm4-439c-5jp6 github.com: https://github.com/rails/rails/commit/6752711c8c31d79ba50d13af6a6698a3b85415e0 github.com: https://github.com/rails/rails/releases/tag/v8.1.2.1