CVE-2026-33167
LOWLifecycle Timeline
3DescriptionCVE.org
Impact
The debug exceptions page does not properly escape exception messages. A carefully crafted exception message could inject arbitrary HTML and JavaScript into the page, leading to XSS. This affects applications with detailed exception pages enabled (config.consider_all_requests_local = true), which is the default in development.
Releases
The fixed releases are available at the normal locations.
AnalysisAI
A Cross-Site Scripting (XSS) vulnerability exists in Ruby on Rails' debug exceptions page due to improper HTML escaping of exception messages. This affects Rails applications running in development mode with detailed exception pages enabled (config.consider_all_requests_local = true, which is the default), allowing an attacker to inject arbitrary HTML and JavaScript that executes in the context of the debug page. While this primarily impacts development environments, applications with development configurations exposed to untrusted network access or those reusing development settings in production could face real exploitation risk.
Technical ContextAI
The vulnerability resides in the actionpack gem (pkg:rubygems/actionpack), which is Rails' component responsible for request handling and exception rendering. The root cause is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation), a standard XSS weakness. When Rails encounters an unhandled exception in development mode, it renders a detailed debug page displaying the exception message. The vulnerable code fails to properly HTML-escape exception messages before inserting them into the page, allowing injection of malicious script tags or event handlers. This occurs specifically in the exception rendering pipeline that generates the diagnostic error page shown to developers.
RemediationAI
Upgrade Ruby on Rails to version 8.1.2.1 or later, which includes the fix for improper exception message escaping. This patch is available at normal vendor release channels (https://github.com/rails/rails/releases/tag/v8.1.2.1). For organizations unable to immediately patch, restrict network access to development systems running Rails applications, disable or set config.consider_all_requests_local = false on non-development systems, and implement network segmentation to ensure development environments are not directly exposed to untrusted user input. Additionally, configure web servers and load balancers to reject requests designed to trigger exceptions with suspicious payloads as a temporary compensating control.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today