CVE-2026-33167 — Vulnetix

CVE-2026-33167 PUBLISHED CVSS 1.2999999523162842 LOW

Rails has a possible XSS vulnerability in its Action Pack debug exceptions

EPSS 0.02% · 6.4th percentile

Risk Scores

CVSS v4.0

1.2999999523162842

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U

EPSS Score

0.02%

6.4th percentile

Affected Products

Vendor	Product	Versions
rails	activestorage	< 7.2.3.1, >= 8.1.0.beta1, < 8.1.2.1, >= 8.0.0.beta1, < 8.0.4.1
RubyGems	actionpack	8.1.0, 8.1.0, 8.1.0
rails	actionpack	>= 8.1.0, < 8.1.2.1

Timeline

Mar 23, 2026 CVE Published
Mar 23, 2026 Security Advisory
Mar 23, 2026 PoC Published
Mar 24, 2026 EPSS Score
Mar 24, 2026 PoC Published
Mar 24, 2026 PoC Published
Mar 24, 2026 CVE Updated
Mar 25, 2026 EPSS Score
Mar 25, 2026 Coalition ESS Score
Mar 27, 2026 PoC Published
Mar 27, 2026 PoC Published
Mar 27, 2026 PoC Published

References

https://discuss.rubyonrails.org/t/cve-2026-33168-possible-xss-vulnerability-in-action-view-tag-helpers/90912 advisory
https://discuss.rubyonrails.org/t/cve-2026-33169-possible-redos-vulnerability-in-number-to-delimited-in-active-support/90911 advisory
https://discuss.rubyonrails.org/t/cve-2026-33170-possible-xss-vulnerability-in-safebuffer-in-active-support/90910 advisory
https://discuss.rubyonrails.org/t/cve-2026-33167-possible-xss-vulnerability-in-action-pack-debug-exceptions/90913 advisory
https://discuss.rubyonrails.org/t/cve-2026-33658-possible-dos-vulnerability-in-active-storage-proxy-mode-via-multi-range-requests/90906 advisory
https://discuss.rubyonrails.org/t/cve-2026-33174-possible-dos-vulnerability-in-active-storage-proxy-mode-via-range-requests/90908 advisory
https://discuss.rubyonrails.org/t/cve-2026-33202-possible-glob-injection-in-active-storage-diskservice/90903 advisory
https://discuss.rubyonrails.org/t/cve-2026-33195-possible-path-traversal-in-active-storage-diskservice/90904 advisory
https://discuss.rubyonrails.org/t/cve-2026-33173-insufficient-filtering-of-metadata-in-active-storage-direct-uploads/90909 advisory
https://discuss.rubyonrails.org/t/cve-2026-33176-possible-dos-vulnerability-in-active-support-number-helpers/90907 advisory
https://github.com/rails/rails/commit/6752711c8c31d79ba50d13af6a6698a3b85415e0 technical
https://github.com/rails/rails/releases/tag/v8.1.2.1 technical
https://github.com/rails/rails/security/advisories/GHSA-pgm4-439c-5jp6 technical
https://nvd.nist.gov/vuln/detail/CVE-2026-33167 advisory
https://github.com/rails/rails package
https://github.com/rails/rails/security/advisories/GHSA-73f9-jhhh-hr5m url
https://github.com/rails/rails/commit/8c9676b803820110548cdb7523800db43bc6874c url
https://github.com/rails/rails/commit/955284d26e469a9c026a4eee5b21f0414ab0bccf url
https://github.com/rails/rails/commit/fa19073546360856e9f4dab221fc2c5d73a45e82 url
https://github.com/rails/rails/releases/tag/v7.2.3.1 url

…and 1 more

Open in Interactive Console →