Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-ufrj-jn16-jybn
Vulnerability ID VCID-ufrj-jn16-jybn
Aliases CVE-2026-33167
GHSA-pgm4-439c-5jp6
Summary Rails has a possible XSS vulnerability in its Action Pack debug exceptions ### Impact The debug exceptions page does not properly escape exception messages. A carefully crafted exception message could inject arbitrary HTML and JavaScript into the page, leading to XSS. This affects applications with detailed exception pages enabled (`config.consider_all_requests_local = true`), which is the default in development. ### Releases The fixed releases are available at the normal locations.
Status Published
Exploitability 0.5
Weighted Severity 4.9
Risk 2.5
Affected and Fixed Packages Package Details
Weaknesses (1)
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
System Score Found at
cvssv3 5.4 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33167.json
cvssv4 1.3 https://github.com/rails/rails
generic_textual LOW https://github.com/rails/rails
cvssv4 1.3 https://github.com/rails/rails/commit/6752711c8c31d79ba50d13af6a6698a3b85415e0
generic_textual LOW https://github.com/rails/rails/commit/6752711c8c31d79ba50d13af6a6698a3b85415e0
cvssv4 1.3 https://github.com/rails/rails/releases/tag/v8.1.2.1
generic_textual LOW https://github.com/rails/rails/releases/tag/v8.1.2.1
cvssv4 1.3 https://github.com/rails/rails/security/advisories/GHSA-pgm4-439c-5jp6
generic_textual LOW https://github.com/rails/rails/security/advisories/GHSA-pgm4-439c-5jp6
cvssv4 1.3 https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2026-33167.yml
generic_textual LOW https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2026-33167.yml
cvssv4 1.3 https://nvd.nist.gov/vuln/detail/CVE-2026-33167
generic_textual LOW https://nvd.nist.gov/vuln/detail/CVE-2026-33167
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33167.json
https://github.com/rails/rails
https://github.com/rails/rails/commit/6752711c8c31d79ba50d13af6a6698a3b85415e0
https://github.com/rails/rails/releases/tag/v8.1.2.1
https://github.com/rails/rails/security/advisories/GHSA-pgm4-439c-5jp6
https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2026-33167.yml
https://nvd.nist.gov/vuln/detail/CVE-2026-33167
2450552 https://bugzilla.redhat.com/show_bug.cgi?id=2450552
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33167.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U Found at https://github.com/rails/rails
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U Found at https://github.com/rails/rails/commit/6752711c8c31d79ba50d13af6a6698a3b85415e0
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U Found at https://github.com/rails/rails/releases/tag/v8.1.2.1
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U Found at https://github.com/rails/rails/security/advisories/GHSA-pgm4-439c-5jp6
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U Found at https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2026-33167.yml
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U Found at https://nvd.nist.gov/vuln/detail/CVE-2026-33167
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

No EPSS data available for this vulnerability.

Date Actor Action Source VulnerableCode Version
2026-06-04T16:14:43.123552+00:00 Ruby Importer Import https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2026-33167.yml 38.6.0