[CVE-2026-33170] Possible XSS vulnerability in SafeBuffer#% in Active Support

jhawthorn · March 23, 2026, 9:25pm

Impact

SafeBuffer#% does not propagate the @html_unsafe flag to the newly created buffer. If a SafeBuffer is mutated in place (e.g. via gsub!) and then formatted with % using untrusted arguments, the result incorrectly reports html_safe? == true, bypassing ERB auto-escaping and possibly leading to XSS.

Releases

The fixed releases are available at the normal locations.

CVE-2026-33170
GHSA-89vf-4333-qx8v

Versions affected

activesupport >= 8.1, < 8.1.2.1 (patched in 8.1.2.1)
activesupport >= 8.0, < 8.0.4.1 (patched in 8.0.4.1)
activesupport < 7.2.3.1 (patched in 7.2.3.1)

Patches

Credit

This issue was responsibly reported by Seokchan Yoon (https://ch4n3.kr)

Topic		Replies	Views
[CVE-2023-28120] Possible XSS Security Vulnerability in SafeBuffer#bytesplice Security Announcements announcement , patch , security	0	8427	March 13, 2023
Cannot modify SafeBuffer in place rubyonrails-core	4	249	June 8, 2011
Deprecate ActiveSupport::SafeBuffer modifications rubyonrails-core	0	135	November 21, 2014
Rails 2.3 SafeBuffer leaked evil all over my yaml rubyonrails-talk	0	166	April 1, 2010
ActionView::Template::Error (Cannot modify SafeBuffer in place): rubyonrails-talk	1	142	June 28, 2011