CVE-2026-33168

LOW
2026-03-23 https://github.com/rails/rails

Lifecycle Timeline

3
Analysis Generated
Mar 23, 2026 - 21:00 vuln.today
Patch Released
Mar 23, 2026 - 21:00 nvd
Patch available
CVE Published
Mar 23, 2026 - 20:51 nvd
LOW

Tags

Ruby XSS

Description

### Impact When a blank string is used as an HTML attribute name in Action View tag helpers, the attribute escaping is bypassed, producing malformed HTML. A carefully crafted attribute value could then be misinterpreted by the browser as a separate attribute name, possibly leading to XSS. Applications that allow users to specify custom HTML attributes are affected. ### Releases The fixed releases are available at the normal locations.

Analysis

A cross-site scripting (XSS) vulnerability exists in Ruby on Rails Action View tag helpers when blank strings are used as HTML attribute names, allowing attribute escaping to be bypassed and producing malformed HTML. Applications that permit users to specify custom HTML attributes are vulnerable, potentially enabling attackers to inject arbitrary JavaScript that executes in users' browsers. …

Sign in for full analysis, threat intelligence, and remediation guidance.

Remediation

During next maintenance window: Apply vendor patches when convenient. Verify cross-site scripting controls are in place.

Sign in for detailed remediation steps.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Priority Score

0
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +0
POC: 0

Share

CVE-2026-33168 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy