{"url":"http://public2.vulnerablecode.io/api/packages/170955?format=json","purl":"pkg:gem/actionpack@7.0.8.6","type":"gem","namespace":"","name":"actionpack","version":"7.0.8.6","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"8.1.2.1","latest_non_vulnerable_version":"8.1.2.1","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/51368?format=json","vulnerability_id":"VCID-ufrj-jn16-jybn","summary":"Rails has a possible XSS vulnerability in its Action Pack debug exceptions\n### Impact\nThe debug exceptions page does not properly escape exception messages.\nA carefully crafted exception message could inject arbitrary HTML and JavaScript into the page, leading to XSS.\nThis affects applications with detailed exception pages enabled (`config.consider_all_requests_local = true`),\nwhich is the default in development.\n\n### Releases\nThe fixed releases are available at the normal locations.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33167.json","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33167.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33167","reference_id":"","reference_type":"","scores":[{"value":"0.00022","scoring_system":"epss","scoring_elements":"0.06252","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00022","scoring_system":"epss","scoring_elements":"0.06303","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00022","scoring_system":"epss","scoring_elements":"0.06292","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00022","scoring_system":"epss","scoring_elements":"0.06286","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00022","scoring_system":"epss","scoring_elements":"0.0624","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33167"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/rails/rails","reference_id":"","reference_type":"","scores":[{"value":"1.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails"},{"reference_url":"https://github.com/rails/rails/commit/6752711c8c31d79ba50d13af6a6698a3b85415e0","reference_id":"","reference_type":"","scores":[{"value":"1.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T18:44:05Z/"}],"url":"https://github.com/rails/rails/commit/6752711c8c31d79ba50d13af6a6698a3b85415e0"},{"reference_url":"https://github.com/rails/rails/releases/tag/v8.1.2.1","reference_id":"","reference_type":"","scores":[{"value":"1.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T18:44:05Z/"}],"url":"https://github.com/rails/rails/releases/tag/v8.1.2.1"},{"reference_url":"https://github.com/rails/rails/security/advisories/GHSA-pgm4-439c-5jp6","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"1.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T18:44:05Z/"}],"url":"https://github.com/rails/rails/security/advisories/GHSA-pgm4-439c-5jp6"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2026-33167.yml","reference_id":"","reference_type":"","scores":[{"value":"1.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2026-33167.yml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33167","reference_id":"","reference_type":"","scores":[{"value":"1.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33167"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2450552","reference_id":"2450552","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2450552"},{"reference_url":"https://github.com/advisories/GHSA-pgm4-439c-5jp6","reference_id":"GHSA-pgm4-439c-5jp6","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-pgm4-439c-5jp6"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/112774?format=json","purl":"pkg:gem/actionpack@8.1.2.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@8.1.2.1"}],"aliases":["CVE-2026-33167","GHSA-pgm4-439c-5jp6"],"risk_score":2.5,"exploitability":"0.5","weighted_severity":"4.9","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ufrj-jn16-jybn"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/51356?format=json","vulnerability_id":"VCID-v3vg-9jdz-guf5","summary":"Possible Content Security Policy bypass in Action Dispatch\nThere is a possible Cross Site Scripting (XSS) vulnerability\nin the `content_security_policy` helper in Action Pack.\n\n## Impact\n\nApplications which set Content-Security-Policy (CSP) headers\ndynamically from untrusted user input may be vulnerable to\ncarefully crafted inputs being able to inject new directives\ninto the CSP. This could lead to a bypass of the CSP and its\nprotection against XSS and other attacks.\n\n## Releases\n\nThe fixed releases are available at the normal locations.\n\n## Workarounds\n\nApplications can avoid setting CSP headers dynamically from\nuntrusted input, or can validate/sanitize that input.\n\n## Credits\n\nThanks to [ryotak](https://hackerone.com/ryotak) for the report!","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-54133.json","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-54133.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-54133","reference_id":"","reference_type":"","scores":[{"value":"0.0019","scoring_system":"epss","scoring_elements":"0.40683","published_at":"2026-06-09T12:55:00Z"},{"value":"0.0019","scoring_system":"epss","scoring_elements":"0.40724","published_at":"2026-06-05T12:55:00Z"},{"value":"0.0019","scoring_system":"epss","scoring_elements":"0.4067","published_at":"2026-06-08T12:55:00Z"},{"value":"0.0019","scoring_system":"epss","scoring_elements":"0.407","published_at":"2026-06-07T12:55:00Z"},{"value":"0.0019","scoring_system":"epss","scoring_elements":"0.40728","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-54133"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-54133","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-54133"},{"reference_url":"https://github.com/rails/rails","reference_id":"","reference_type":"","scores":[{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails"},{"reference_url":"https://github.com/rails/rails/commit/2e3f41e4538b9ca1044357f6644f037bbb7c6c49","reference_id":"","reference_type":"","scores":[{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-12-11T16:05:59Z/"}],"url":"https://github.com/rails/rails/commit/2e3f41e4538b9ca1044357f6644f037bbb7c6c49"},{"reference_url":"https://github.com/rails/rails/commit/3da2479cfe1e00177114b17e496213c40d286b3a","reference_id":"","reference_type":"","scores":[{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-12-11T16:05:59Z/"}],"url":"https://github.com/rails/rails/commit/3da2479cfe1e00177114b17e496213c40d286b3a"},{"reference_url":"https://github.com/rails/rails/commit/5558e72f22fc69c1c407b31ac5fb3b4ce087b542","reference_id":"","reference_type":"","scores":[{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-12-11T16:05:59Z/"}],"url":"https://github.com/rails/rails/commit/5558e72f22fc69c1c407b31ac5fb3b4ce087b542"},{"reference_url":"https://github.com/rails/rails/commit/cb16a3bb515b5d769f73926d9757270ace691f1d","reference_id":"","reference_type":"","scores":[{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-12-11T16:05:59Z/"}],"url":"https://github.com/rails/rails/commit/cb16a3bb515b5d769f73926d9757270ace691f1d"},{"reference_url":"https://github.com/rails/rails/security/advisories/GHSA-vfm5-rmrh-j26v","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-12-11T16:05:59Z/"}],"url":"https://github.com/rails/rails/security/advisories/GHSA-vfm5-rmrh-j26v"},{"reference_url":"https://security.netapp.com/advisory/ntap-20250306-0010","reference_id":"","reference_type":"","scores":[{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.netapp.com/advisory/ntap-20250306-0010"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1089755","reference_id":"1089755","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1089755"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2331619","reference_id":"2331619","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2331619"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-54133","reference_id":"CVE-2024-54133","reference_type":"","scores":[{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-54133"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-54133.yml","reference_id":"CVE-2024-54133.YML","reference_type":"","scores":[{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-54133.yml"},{"reference_url":"https://github.com/advisories/GHSA-vfm5-rmrh-j26v","reference_id":"GHSA-vfm5-rmrh-j26v","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-vfm5-rmrh-j26v"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/83509?format=json","purl":"pkg:gem/actionpack@7.0.8.7","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-ufrj-jn16-jybn"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.0.8.7"},{"url":"http://public2.vulnerablecode.io/api/packages/169567?format=json","purl":"pkg:gem/actionpack@7.1.0.beta1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-37qm-tp8v-tugb"},{"vulnerability":"VCID-bfqq-ypyw-dycj"},{"vulnerability":"VCID-n798-maqx-y3c9"},{"vulnerability":"VCID-nprk-kfvh-vqfh"},{"vulnerability":"VCID-ufrj-jn16-jybn"},{"vulnerability":"VCID-v3vg-9jdz-guf5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.1.0.beta1"},{"url":"http://public2.vulnerablecode.io/api/packages/83510?format=json","purl":"pkg:gem/actionpack@7.1.5.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-ufrj-jn16-jybn"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.1.5.1"},{"url":"http://public2.vulnerablecode.io/api/packages/81714?format=json","purl":"pkg:gem/actionpack@7.2.0.beta1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-37qm-tp8v-tugb"},{"vulnerability":"VCID-3m5y-hn64-bub8"},{"vulnerability":"VCID-nprk-kfvh-vqfh"},{"vulnerability":"VCID-ufrj-jn16-jybn"},{"vulnerability":"VCID-v3vg-9jdz-guf5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.2.0.beta1"},{"url":"http://public2.vulnerablecode.io/api/packages/83511?format=json","purl":"pkg:gem/actionpack@7.2.2.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-ufrj-jn16-jybn"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.2.2.1"},{"url":"http://public2.vulnerablecode.io/api/packages/170218?format=json","purl":"pkg:gem/actionpack@8.0.0.beta1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-37qm-tp8v-tugb"},{"vulnerability":"VCID-nprk-kfvh-vqfh"},{"vulnerability":"VCID-ufrj-jn16-jybn"},{"vulnerability":"VCID-v3vg-9jdz-guf5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@8.0.0.beta1"},{"url":"http://public2.vulnerablecode.io/api/packages/83512?format=json","purl":"pkg:gem/actionpack@8.0.0.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-ufrj-jn16-jybn"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@8.0.0.1"}],"aliases":["CVE-2024-54133","GHSA-vfm5-rmrh-j26v"],"risk_score":1.9,"exploitability":"0.5","weighted_severity":"3.9","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-v3vg-9jdz-guf5"}],"fixing_vulnerabilities":[],"risk_score":"2.5","resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/actionpack@7.0.8.6"}