[CVE-2026-33167] Possible XSS vulnerability in Action Pack debug exceptions

jhawthorn · March 23, 2026, 9:26pm

Impact

The debug exceptions page does not properly escape exception messages. A carefully crafted exception message could inject arbitrary HTML and JavaScript into the page, leading to XSS. This affects applications with detailed exception pages enabled (config.consider_all_requests_local = true), which is the default in development.

Releases

The fixed releases are available at the normal locations.

CVE-2026-33167
GHSA-pgm4-439c-5jp6

Versions affected

actionpack >= 8.1, < 8.1.2.1 (patched in 8.1.2.1)

Patches

8.1 - https://github.com/rails/rails/commit/6752711c8c31d79ba50d13af6a6698a3b85415e0.patch

Topic		Replies	Views
[CVE-2020-8264] Possible XSS Vulnerability in Action Pack in Development Mode Security Announcements	1	5548	October 16, 2020
Proposal: add “Prompt for AI agents” block to debug exception pages (PR open) rubyonrails-core	0	60	February 17, 2026
[CVE-2026-33168] Possible XSS vulnerability in Action View tag helpers Security Announcements announcement , security	0	53	March 23, 2026
Adding the ability to show causes in the DebugExceptions view rubyonrails-core	1	247	March 9, 2018
[CVE-2022-22577] Possible XSS Vulnerability in Action Pack Security Announcements patch	0	11629	April 26, 2022

[CVE-2026-33167] Possible XSS vulnerability in Action Pack debug exceptions

Impact

Releases

Versions affected

Patches

Related topics

More Resources