Description
Active Support is a toolkit of support libraries and Ruby core extensions extracted from the Rails framework. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, `SafeBuffer#%` does not propagate the `@html_unsafe` flag to the newly created buffer. If a `SafeBuffer` is mutated in place (e.g. via `gsub!`) and then formatted with `%` using untrusted arguments, the result incorrectly reports `html_safe? == true`, bypassing ERB auto-escaping and possibly leading to XSS. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a patch.
Published: 2026-03-23
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting
Action: Immediate Patch
AI Analysis

Impact

SafeBuffer#% does not propagate the @html_unsafe attribute when a SafeBuffer is mutated in place and then formatted. If an attacker can supply untrusted arguments to the % operation on such a buffer, the resulting string is mistakenly marked as html_safe. This bypasses ERB’s automatic escaping and can cause malicious scripts to execute in a user’s browser, compromising confidentiality and integrity of the rendered page.

Affected Systems

The issue affects the Rails ActiveSupport library in Ruby on Rails. All Rails releases prior to 7.2.3.1, 8.0.4.1, and 8.1.2.1 are vulnerable. Users running Rails 7.2.3, 8.0.4, or 8.1.2 before the corresponding patch releases are impacted.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, and the EPSS score of less than 1 % suggests low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires the attacker to provide untrusted input that is passed as a format argument after a SafeBuffer has been mutated in place. If the application accepts user‑supplied data into such formatting contexts, a remote or local XSS attack could be performed. Due to the need for specific code paths, the likelihood remains low but the impact could be significant for affected users.

Generated by OpenCVE AI on March 24, 2026 at 19:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Rails release that contains the patch (v8.1.2.1, v8.0.4.1, or v7.2.3.1).
  • If upgrading immediately is not possible, avoid mutating SafeBuffer objects in place before using the % operator; prefer immutable concatenations or explicit HTML escaping.

Generated by OpenCVE AI on March 24, 2026 at 19:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-89vf-4333-qx8v Rails Active Support has a possible XSS vulnerability in SafeBuffer#%
History

Wed, 25 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 24 Mar 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Rubyonrails
Rubyonrails rails
CPEs cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*
Vendors & Products Rubyonrails
Rubyonrails rails
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N'}

 cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Tue, 24 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N'}

threat_severity

Moderate

Tue, 24 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Rails
Rails activesupport
Vendors & Products Rails
Rails activesupport

Tue, 24 Mar 2026 02:30:00 +0000

Type Values Removed Values Added
Description Active Support is a toolkit of support libraries and Ruby core extensions extracted from the Rails framework. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, `SafeBuffer#%` does not propagate the `@html_unsafe` flag to the newly created buffer. If a `SafeBuffer` is mutated in place (e.g. via `gsub!`) and then formatted with `%` using untrusted arguments, the result incorrectly reports `html_safe? == true`, bypassing ERB auto-escaping and possibly leading to XSS. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a patch.
Title Rails Active Support has a possible XSS vulnerability in SafeBuffer#%
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Rails Activesupport
Rubyonrails Rails
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-25T19:20:28.280Z

Reserved: 2026-03-17T21:17:08.888Z

Link: CVE-2026-33170

cve-icon Vulnrichment

Updated: 2026-03-25T19:20:23.878Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-24T00:16:28.287

Modified: 2026-03-24T18:00:00.080

Link: CVE-2026-33170

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-23T23:09:48Z

Links: CVE-2026-33170 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T20:36:06Z

Weaknesses