Rails has a possible XSS vulnerability in its Action Pack debug exceptions

GHSA-pgm4-439c-5jp6 · CVE-2026-33167

Published Mar 23, 2026 · Modified May 13, 2026

Description

Impact

The debug exceptions page does not properly escape exception messages. A carefully crafted exception message could inject arbitrary HTML and JavaScript into the page, leading to XSS. This affects applications with detailed exception pages enabled (config.consider_all_requests_local = true), which is the default in development.

Releases

The fixed releases are available at the normal locations.

Credit

This issue was responsibly reported by Hackerone researcher fbettag.

References

WEB https://github.com/rails/rails/security/advisories/GHSA-pgm4-439c-5jp6
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-33167
WEB https://github.com/rails/rails/commit/6752711c8c31d79ba50d13af6a6698a3b85415e0
PACKAGE https://github.com/rails/rails
WEB https://github.com/rails/rails/releases/tag/v8.1.2.1
WEB https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2026-33167.yml

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes