Action View CVE-2026-33168
LOWSeverity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionGitHub Advisory
Impact
When a blank string is used as an HTML attribute name in Action View tag helpers, the attribute escaping is bypassed, producing malformed HTML. A carefully crafted attribute value could then be misinterpreted by the browser as a separate attribute name, possibly leading to XSS. Applications that allow users to specify custom HTML attributes are affected.
Releases
The fixed releases are available at the normal locations.
AnalysisAI
A cross-site scripting (XSS) vulnerability exists in Ruby on Rails Action View tag helpers when blank strings are used as HTML attribute names, allowing attribute escaping to be bypassed and producing malformed HTML. Applications that permit users to specify custom HTML attributes are vulnerable, potentially enabling attackers to inject arbitrary JavaScript that executes in users' browsers. Patches are available from the Rails vendor across multiple affected versions (7.2.3.1, 8.0.4.1, and 8.1.2.1), and remediation should be prioritized for user-facing Rails applications accepting custom attribute inputs.
Technical ContextAI
The vulnerability resides in the Ruby on Rails Action View component (CPE: pkg:rubygems/actionview), which is responsible for rendering HTML templates and sanitizing user-supplied input for HTML attributes. The root cause is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation), indicating that attribute escaping logic fails when an attribute name is a blank string, causing subsequent attribute values to be misinterpreted by the browser as attribute names rather than values. This bypasses the framework's built-in cross-site scripting protections, allowing attackers to inject malicious attributes that the browser parses as separate HTML attributes, potentially containing event handlers (onclick, onload, etc.) that execute JavaScript in the victim's security context.
RemediationAI
Immediately upgrade Ruby on Rails to patched versions: 7.2.3.1 or later for the 7.2 series, 8.0.4.1 or later for the 8.0 series, or 8.1.2.1 or later for the 8.1 series. Patches are available at the standard Rails distribution channels and GitHub (https://github.com/rails/rails/commit/0b6f8002b52b9c606fd6be9e7915d9f944cf539c, https://github.com/rails/rails/commit/63f5ad83edaa0b976f82d46988d745426aa4a42d, https://github.com/rails/rails/commit/c79a07df1e88738df8f68cb0ee759ad6128ca924). Until patching is complete, audit all application code that accepts user-supplied HTML attributes, validate and sanitize attribute names to reject blank strings, and consider implementing a Content Security Policy (CSP) with strict script-src directives to mitigate XSS impact.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today