XSS in Rails Actionpack

CVE-2026-33167

Action Pack is a Rubygem for building web applications on the Rails framework. In versions on the 8.1 branch prior to 8.1.2.1, the debug exceptions page does not properly escape exception messages. A carefully crafted exception message cou…

Vulnerability class: XSS (Cross-Site Scripting)

EPSS: 0.000 (6.3th percentile) — read the EPSS interpretation.

Affected products

Rails Actionpack — versions >= 8.1.0, < 8.1.2.1

Weakness classification (CWE)

CWE-79 — Cross-site Scripting

References

https://github.com/rails/rails/security/advisories/GHSA-pgm4-439c-5jp6 (x_refsource_CONFIRM)
https://github.com/rails/rails/commit/6752711c8c31d79ba50d13af6a6698a3b85415e0 (x_refsource_MISC)
https://github.com/rails/rails/releases/tag/v8.1.2.1 (x_refsource_MISC)