Skip to main content

Action View CVE-2026-33168

LOW
Cross-site Scripting (XSS) (CWE-79)
2026-03-23 https://github.com/rails/rails
2.3
CVSS 4.0 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY
2.3 LOW
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

4
CVSS changed
Apr 16, 2026 - 14:52 NVD
2.3 (LOW)
Analysis Generated
Mar 23, 2026 - 21:00 vuln.today
Patch released
Mar 23, 2026 - 21:00 nvd
Patch available
CVE Published
Mar 23, 2026 - 20:51 nvd
LOW

DescriptionGitHub Advisory

Impact

When a blank string is used as an HTML attribute name in Action View tag helpers, the attribute escaping is bypassed, producing malformed HTML. A carefully crafted attribute value could then be misinterpreted by the browser as a separate attribute name, possibly leading to XSS. Applications that allow users to specify custom HTML attributes are affected.

Releases

The fixed releases are available at the normal locations.

AnalysisAI

A cross-site scripting (XSS) vulnerability exists in Ruby on Rails Action View tag helpers when blank strings are used as HTML attribute names, allowing attribute escaping to be bypassed and producing malformed HTML. Applications that permit users to specify custom HTML attributes are vulnerable, potentially enabling attackers to inject arbitrary JavaScript that executes in users' browsers. Patches are available from the Rails vendor across multiple affected versions (7.2.3.1, 8.0.4.1, and 8.1.2.1), and remediation should be prioritized for user-facing Rails applications accepting custom attribute inputs.

Technical ContextAI

The vulnerability resides in the Ruby on Rails Action View component (CPE: pkg:rubygems/actionview), which is responsible for rendering HTML templates and sanitizing user-supplied input for HTML attributes. The root cause is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation), indicating that attribute escaping logic fails when an attribute name is a blank string, causing subsequent attribute values to be misinterpreted by the browser as attribute names rather than values. This bypasses the framework's built-in cross-site scripting protections, allowing attackers to inject malicious attributes that the browser parses as separate HTML attributes, potentially containing event handlers (onclick, onload, etc.) that execute JavaScript in the victim's security context.

RemediationAI

Immediately upgrade Ruby on Rails to patched versions: 7.2.3.1 or later for the 7.2 series, 8.0.4.1 or later for the 8.0 series, or 8.1.2.1 or later for the 8.1 series. Patches are available at the standard Rails distribution channels and GitHub (https://github.com/rails/rails/commit/0b6f8002b52b9c606fd6be9e7915d9f944cf539c, https://github.com/rails/rails/commit/63f5ad83edaa0b976f82d46988d745426aa4a42d, https://github.com/rails/rails/commit/c79a07df1e88738df8f68cb0ee759ad6128ca924). Until patching is complete, audit all application code that accepts user-supplied HTML attributes, validate and sanitize attribute names to reject blank strings, and consider implementing a Content Security Policy (CSP) with strict script-src directives to mitigate XSS impact.

Share

CVE-2026-33168 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy