CVE-2026-33167

LOW
2026-03-23 https://github.com/rails/rails

Lifecycle Timeline

3
Analysis Generated
Mar 23, 2026 - 20:45 vuln.today
Patch Released
Mar 23, 2026 - 20:45 nvd
Patch available
CVE Published
Mar 23, 2026 - 20:45 nvd
LOW

Tags

XSS Denial Of Service

Description

### Impact The debug exceptions page does not properly escape exception messages. A carefully crafted exception message could inject arbitrary HTML and JavaScript into the page, leading to XSS. This affects applications with detailed exception pages enabled (`config.consider_all_requests_local = true`), which is the default in development. ### Releases The fixed releases are available at the normal locations.

Analysis

A Cross-Site Scripting (XSS) vulnerability exists in Ruby on Rails' debug exceptions page due to improper HTML escaping of exception messages. This affects Rails applications running in development mode with detailed exception pages enabled (config.consider_all_requests_local = true, which is the default), allowing an attacker to inject arbitrary HTML and JavaScript that executes in the context of the debug page. …

Sign in for full analysis, threat intelligence, and remediation guidance.

Remediation

During next maintenance window: Apply vendor patches when convenient. Verify cross-site scripting controls are in place.

Sign in for detailed remediation steps.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Priority Score

0
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +0
POC: 0

Share

CVE-2026-33167 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy