Description
Action Pack is a Rubygem for building web applications on the Rails framework. In versions on the 8.1 branch prior to 8.1.2.1, the debug exceptions page does not properly escape exception messages. A carefully crafted exception message could inject arbitrary HTML and JavaScript into the page, leading to XSS. This affects applications with detailed exception pages enabled (`config.consider_all_requests_local = true`), which is the default in development. Version 8.1.2.1 contains a patch.
Published: 2026-03-23
Score: 1.3 Low
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting via debug exception page
Action: Patch Immediately
AI Analysis

Impact

Action Pack on Rails versions 8.1.x prior to 8.1.2.1 fails to escape messages shown on the debug exceptions page, allowing an attacker to inject arbitrary HTML or JavaScript when a crafted exception is raised. This injection results in a client‑side cross‑site scripting (XSS) condition that can be leveraged to deface pages, execute scripts in the user’s browser, or steal session data. The weakness aligns with CWE‑79 and only occurs when detailed exception pages are enabled, which is the default in development environments.

Affected Systems

Applications built with the Rails framework that include the Action Pack gem and are running Rails 8.1.x before 8.1.2.1. The vulnerability is limited to instances where the setting config.consider_all_requests_local is true, typically in non‑production deployments.

Risk and Exploitability

The CVSS score is 1.3, reflecting a very low severity that is valid only when debug mode is active. Exploitation requires the attacker to cause a specific exception with a crafted message, which generally means the attacker must already have code‑execution or code‑upload capabilities in the application. The vulnerability is not listed in the CISA KEV catalog and EPSS data is unavailable, suggesting a minimal likelihood of widespread exploitation in the wild.

Generated by OpenCVE AI on March 24, 2026 at 03:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Rails to 8.1.2.1 or later.
  • In production, disable detailed exception pages by setting config.consider_all_requests_local to false.

Generated by OpenCVE AI on March 24, 2026 at 03:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-pgm4-439c-5jp6 Rails has a possible XSS vulnerability in its Action Pack debug exceptions
History

Tue, 24 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 24 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N'}

threat_severity

Moderate

Tue, 24 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Rubyonrails
Rubyonrails actionpack
Vendors & Products Rubyonrails
Rubyonrails actionpack

Tue, 24 Mar 2026 02:30:00 +0000

Type Values Removed Values Added
Description Action Pack is a Rubygem for building web applications on the Rails framework. In versions on the 8.1 branch prior to 8.1.2.1, the debug exceptions page does not properly escape exception messages. A carefully crafted exception message could inject arbitrary HTML and JavaScript into the page, leading to XSS. This affects applications with detailed exception pages enabled (`config.consider_all_requests_local = true`), which is the default in development. Version 8.1.2.1 contains a patch.
Title Rails has a possible XSS vulnerability in its Action Pack debug exceptions
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 1.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U'}

Subscriptions

Rubyonrails Actionpack
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-24T18:44:13.020Z

Reserved: 2026-03-17T21:17:08.888Z

Link: CVE-2026-33167

cve-icon Vulnrichment

Updated: 2026-03-24T18:44:09.646Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-23T23:17:12.707

Modified: 2026-03-24T15:53:48.067

Link: CVE-2026-33167

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-23T22:58:53Z

Links: CVE-2026-33167 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T20:36:10Z

Weaknesses