Description
Action View provides conventions and helpers for building web pages with the Rails framework. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, when a blank string is used as an HTML attribute name in Action View tag helpers, the attribute escaping is bypassed, producing malformed HTML. A carefully crafted attribute value could then be misinterpreted by the browser as a separate attribute name, possibly leading to XSS. Applications that allow users to specify custom HTML attributes are affected. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a patch.
Published: 2026-03-23
Score: 2.3 Low
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting via malformed HTML attributes in Rails ActionView tag helpers
Action: Patch Now
AI Analysis

Impact

Rails Action View provides helpers for generating HTML. When a blank string is supplied as an attribute name, the escaping logic is bypassed, producing malformed markup. A malicious attribute value can be interpreted by the browser as a separate attribute, enabling execution of injected scripts. This flaw is identified as a classic XSS weakness (CWE‑79).

Affected Systems

Ruby on Rails applications that use the ActionView component and allow users to supply custom HTML attributes are affected. All Rails 7.2 releases prior to 7.2.3.1, 8.0 releases prior to 8.0.4.1, and 8.1 releases prior to 8.1.2.1 are vulnerable.

Risk and Exploitability

The CVSS score is 2.3, reflecting low severity, and the vulnerability is not currently listed in the CISA KEV catalog. EPSS data is not available. The risk is primarily limited to applications that permit user‑defined attribute names; the attack can be carried out by sending a crafted HTTP request that causes a view to render a tag with an empty attribute name and an attacker‑controlled value. The likelihood of exploitation is inferred to be low, but the impact can be significant if the affected application exposes user input directly to view rendering.

Generated by OpenCVE AI on March 24, 2026 at 03:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Rails to version 7.2.3.1, 8.0.4.1, or 8.1.2.1 or later.
  • If an upgrade is not possible, remove or sanitize any custom attribute names supplied by users in view templates.
  • Avoid using tag helpers with empty attribute names in user‑controlled contexts.
  • Review existing views to ensure no residual vulnerabilities remain.

Generated by OpenCVE AI on March 24, 2026 at 03:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-v55j-83pf-r9cq Rails has a possible XSS vulnerability in its Action View tag helpers
History

Tue, 24 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 24 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N'}

threat_severity

Moderate

Tue, 24 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Rubyonrails
Rubyonrails actionview
Vendors & Products Rubyonrails
Rubyonrails actionview

Tue, 24 Mar 2026 02:30:00 +0000

Type Values Removed Values Added
Description Action View provides conventions and helpers for building web pages with the Rails framework. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, when a blank string is used as an HTML attribute name in Action View tag helpers, the attribute escaping is bypassed, producing malformed HTML. A carefully crafted attribute value could then be misinterpreted by the browser as a separate attribute name, possibly leading to XSS. Applications that allow users to specify custom HTML attributes are affected. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a patch.
Title Rails has a possible XSS vulnerability in its Action View tag helpers
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Rubyonrails Actionview
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-24T13:36:44.829Z

Reserved: 2026-03-17T21:17:08.888Z

Link: CVE-2026-33168

cve-icon Vulnrichment

Updated: 2026-03-24T13:36:34.900Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-23T23:17:12.873

Modified: 2026-03-24T15:53:48.067

Link: CVE-2026-33168

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-23T23:01:22Z

Links: CVE-2026-33168 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T20:36:09Z

Weaknesses