UNKNOWN RubyGems
Rails has a possible XSS vulnerability in its Action View tag helpers
GHSA-v55j-83pf-r9cq · CVE-2026-33168
Published · Modified
Description
Impact
When a blank string is used as an HTML attribute name in Action View tag helpers, the attribute escaping is bypassed, producing malformed HTML. A carefully crafted attribute value could then be misinterpreted by the browser as a separate attribute name, possibly leading to XSS. Applications that allow users to specify custom HTML attributes are affected.
Releases
The fixed releases are available at the normal locations.
Credit
This issue was responsibly reported by Hackerone researcher taise.
References
- WEB https://github.com/rails/rails/security/advisories/GHSA-v55j-83pf-r9cq
- ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-33168
- WEB https://github.com/rails/rails/commit/0b6f8002b52b9c606fd6be9e7915d9f944cf539c
- WEB https://github.com/rails/rails/commit/63f5ad83edaa0b976f82d46988d745426aa4a42d
- WEB https://github.com/rails/rails/commit/c79a07df1e88738df8f68cb0ee759ad6128ca924
- PACKAGE https://github.com/rails/rails
- WEB https://github.com/rails/rails/releases/tag/v7.2.3.1
- WEB https://github.com/rails/rails/releases/tag/v8.0.4.1
- WEB https://github.com/rails/rails/releases/tag/v8.1.2.1
- WEB https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionview/CVE-2026-33168.yml
Ready to move
Start Securing
Free, no credit card | First findings in minutes