Rails Action View XSS via Empty Attribute Name (pre-8.1.2.1/8.0.4.1/7.2.3.1)
CVE-2026-33168 Published on March 23, 2026
Rails has a possible XSS vulnerability in its Action View tag helpers
Action View provides conventions and helpers for building web pages with the Rails framework. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, when a blank string is used as an HTML attribute name in Action View tag helpers, the attribute escaping is bypassed, producing malformed HTML. A carefully crafted attribute value could then be misinterpreted by the browser as a separate attribute name, possibly leading to XSS. Applications that allow users to specify custom HTML attributes are affected. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a patch.
Weakness Type
What is a XSS Vulnerability?
The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CVE-2026-33168 has been classified to as a XSS vulnerability or weakness.
Products Associated with CVE-2026-33168
Want to know whenever a new CVE is published for Ruby on Rails Rails? stack.watch will email you.
Affected Versions
rails actionview:- Version >= 8.1.0.beta1, < 8.1.2.1 is affected.
- Version >= 8.0.0.beta1, < 8.0.4.1 is affected.
- Version < 7.2.3.1 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.