Skip to main content

Red Hat CVE-2026-33170

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-03-23 https://github.com/rails/rails
6.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
SUSE
MEDIUM
qualitative
Red Hat
5.4 MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

3
Analysis Generated
Mar 23, 2026 - 21:00 vuln.today
Patch released
Mar 23, 2026 - 21:00 nvd
Patch available
CVE Published
Mar 23, 2026 - 20:53 nvd
MEDIUM 6.1

DescriptionGitHub Advisory

Impact

SafeBuffer#% does not propagate the @html_unsafe flag to the newly created buffer. If a SafeBuffer is mutated in place (e.g. via gsub!) and then formatted with % using untrusted arguments, the result incorrectly reports html_safe? == true, bypassing ERB auto-escaping and possibly leading to XSS.

Releases

The fixed releases are available at the normal locations.

AnalysisAI

SafeBuffer's string formatting operator (%) in Ruby fails to preserve HTML safety flags when processing untrusted input, allowing attackers to inject malicious scripts that bypass ERB auto-escaping protections. An attacker can exploit this by providing crafted arguments to the % operator on a mutated SafeBuffer, causing the resulting string to be incorrectly marked as safe and potentially leading to cross-site scripting (XSS) attacks. A patch is available for affected applications.

Technical ContextAI

ActiveSupport's SafeBuffer class (pkg:rubygems/activesupport) implements HTML safety tracking via an @html_unsafe flag to prevent XSS in ERB templating. When a SafeBuffer is mutated in-place via methods like gsub!, the modified buffer retains its safe status. However, when the % formatting operator is subsequently used with untrusted user arguments, it creates a new buffer object without properly copying the @html_unsafe flag from the parent. This is a type confusion issue classified under CWE-79 (Improper Neutralization of Input During Web Page Generation). The root cause is insufficient state propagation in string formatting operations on marked-safe objects, violating the principle that any buffer containing user input should not be implicitly trusted.

RemediationAI

Immediately upgrade ActiveSupport to version 7.2.3.1, 8.0.4.1, 8.1.2.1 or later depending on your Rails version. These patched releases are available from the standard RubyGems repository and can be installed via bundle update activesupport. The fixes are applied in commits 50d732af3b7c8aaf63cbcca0becbc00279b215b7, 6e8a81108001d58043de9e54a06fca58962fc2db, and c1ad0e8e1972032f3395853a5e99cea035035beb, which properly propagate the @html_unsafe flag during string formatting operations. As an interim compensating control, audit templates that perform in-place mutations (gsub!, sub!, etc.) on SafeBuffer objects followed by % formatting and consider refactoring to avoid such patterns, though patching is the definitive solution.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
openSUSE Leap 15.6 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP4 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP5 Fixed
SUSE Linux Enterprise High Availability Extension 15 Fixed

Share

CVE-2026-33170 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy