XSS via Unescaped Exception Messages in Rails Action Pack 8.1 < 8.1.2.1
CVE-2026-33167 Published on March 23, 2026
Rails has a possible XSS vulnerability in its Action Pack debug exceptions
Action Pack is a Rubygem for building web applications on the Rails framework. In versions on the 8.1 branch prior to 8.1.2.1, the debug exceptions page does not properly escape exception messages. A carefully crafted exception message could inject arbitrary HTML and JavaScript into the page, leading to XSS. This affects applications with detailed exception pages enabled (`config.consider_all_requests_local = true`), which is the default in development. Version 8.1.2.1 contains a patch.
Weakness Type
What is a XSS Vulnerability?
The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CVE-2026-33167 has been classified to as a XSS vulnerability or weakness.
Products Associated with CVE-2026-33167
Want to know whenever a new CVE is published for Ruby on Rails Rails? stack.watch will email you.
Affected Versions
rails actionpack Version >= 8.1.0, < 8.1.2.1 is affected by CVE-2026-33167Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.