VulnerableCode Package Details - pkg:gem/activesupport@8.1.0.beta1

Search for packages

Vulnerability	Summary	Fixed by
VCID-4tzv-1t1b-t3g3 Aliases: CVE-2026-33169 GHSA-cg4j-q9v8-6v38	Rails Active Support has a possible ReDoS vulnerability in number_to_delimited ### Impact `NumberToDelimitedConverter` used a regular expression with `gsub!` to insert thousands delimiters. This could produce quadratic time complexity on long digit strings. ### Releases The fixed releases are available at the normal locations.	8.1.2.1 Affected by 0 other vulnerabilities.
VCID-5tky-d2en-u7c7 Aliases: CVE-2026-33170 GHSA-89vf-4333-qx8v	Rails Active Support has a possible XSS vulnerability in SafeBuffer#% ### Impact `SafeBuffer#%` does not propagate the `@html_unsafe` flag to the newly created buffer. If a `SafeBuffer` is mutated in place (e.g. via `gsub!`) and then formatted with `%` using untrusted arguments, the result incorrectly reports `html_safe? == true`, bypassing ERB auto-escaping and possibly leading to XSS. ### Releases The fixed releases are available at the normal locations.	8.1.2.1 Affected by 0 other vulnerabilities.
VCID-sarm-n22v-akcm Aliases: CVE-2026-33176 GHSA-2j26-frm8-cmj9	Rails Active Support has a possible DoS vulnerability in its number helpers ### Impact Active Support number helpers accept strings containing scientific notation (e.g. `1e10000`), which when converted to a string could be expanded into extremely large decimal representations. This can cause excessive memory allocation and CPU consumption when the expanded number is formatted, possibly resulting in a DoS vulnerability. ### Releases The fixed releases are available at the normal locations.	8.1.2.1 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-4tzv-1t1b-t3g3
Aliases:
CVE-2026-33169
GHSA-cg4j-q9v8-6v38

Rails Active Support has a possible ReDoS vulnerability in number_to_delimited ### Impact `NumberToDelimitedConverter` used a regular expression with `gsub!` to insert thousands delimiters. This could produce quadratic time complexity on long digit strings. ### Releases The fixed releases are available at the normal locations.

8.1.2.1
Affected by 0 other vulnerabilities.

VCID-5tky-d2en-u7c7
Aliases:
CVE-2026-33170
GHSA-89vf-4333-qx8v

Rails Active Support has a possible XSS vulnerability in SafeBuffer#% ### Impact `SafeBuffer#%` does not propagate the `@html_unsafe` flag to the newly created buffer. If a `SafeBuffer` is mutated in place (e.g. via `gsub!`) and then formatted with `%` using untrusted arguments, the result incorrectly reports `html_safe? == true`, bypassing ERB auto-escaping and possibly leading to XSS. ### Releases The fixed releases are available at the normal locations.

8.1.2.1
Affected by 0 other vulnerabilities.

VCID-sarm-n22v-akcm
Aliases:
CVE-2026-33176
GHSA-2j26-frm8-cmj9

Rails Active Support has a possible DoS vulnerability in its number helpers ### Impact Active Support number helpers accept strings containing scientific notation (e.g. `1e10000`), which when converted to a string could be expanded into extremely large decimal representations. This can cause excessive memory allocation and CPU consumption when the expanded number is formatted, possibly resulting in a DoS vulnerability. ### Releases The fixed releases are available at the normal locations.

8.1.2.1
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-02T17:01:21.257458+00:00	GHSA Importer	Affected by	VCID-sarm-n22v-akcm	https://github.com/advisories/GHSA-2j26-frm8-cmj9	38.1.0
2026-04-02T17:01:20.927368+00:00	GHSA Importer	Affected by	VCID-5tky-d2en-u7c7	https://github.com/advisories/GHSA-89vf-4333-qx8v	38.1.0
2026-04-02T17:01:20.749501+00:00	GHSA Importer	Affected by	VCID-4tzv-1t1b-t3g3	https://github.com/advisories/GHSA-cg4j-q9v8-6v38	38.1.0