Platform
ruby
Component
actionpack
Fixed in
8.1.1
8.1.2.1
CVE-2026-33167 is a cross-site scripting (XSS) vulnerability discovered in Ruby on Rails Actionpack versions up to 8.1.2. An attacker can inject malicious HTML and JavaScript code into the debug exceptions page by crafting a specific exception message. This vulnerability primarily impacts development environments where detailed exception pages are enabled (config.considerallrequests_local = true) and can lead to information disclosure or further exploitation. The vulnerability is fixed in version 8.1.2.1.
The primary impact of CVE-2026-33167 is the potential for cross-site scripting (XSS) within the Rails application's debug exceptions page. An attacker who can trigger an exception with a specially crafted message can inject arbitrary HTML and JavaScript code. This code will then be executed in the context of the user's browser when they view the exception page. This could allow an attacker to steal session cookies, redirect users to malicious websites, or deface the application. The vulnerability's scope is limited to development environments where detailed exception pages are enabled, which is the default configuration. Exploitation requires the ability to trigger an exception, which might be achieved through input manipulation or by exploiting other vulnerabilities within the application.
This vulnerability was responsibly reported by Hackerone researcher [fbettag]. The vulnerability is rated as LOW severity according to CVSS. No public proof-of-concept (PoC) code has been publicly released as of the publication date. There are no indications of active exploitation campaigns targeting this vulnerability. The CVE was published on 2026-03-23.
Exploit Status
EPSS
0.02% (5% percentile)
CISA SSVC
The primary mitigation for CVE-2026-33167 is to upgrade to Ruby on Rails Actionpack version 8.1.2.1 or later, which contains the fix. If upgrading is not immediately feasible, consider disabling detailed exception pages in development environments by setting config.considerallrequests_local = false in your Rails application configuration. This will prevent the vulnerable exception page from being displayed. As a temporary workaround, you could implement input validation and sanitization to prevent the injection of malicious characters into exception messages, although this is not a complete solution. After upgrading, confirm the fix by attempting to trigger an exception with a crafted message and verifying that the output is properly escaped.
Actualice la gema Action Pack a la versión 8.1.2.1 o superior. Esto solucionará la vulnerabilidad XSS en la página de excepciones de depuración. Asegúrese de tener habilitadas las páginas de excepciones detalladas (`config.consider_all_requests_local = true`) solo en entornos de desarrollo.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-33167 is a cross-site scripting (XSS) vulnerability in Ruby on Rails Actionpack versions up to 8.1.2, allowing attackers to inject malicious code via crafted exception messages.
You are affected if you are using Ruby on Rails Actionpack version 8.1.2 or earlier and have detailed exception pages enabled in your development environment.
Upgrade to Ruby on Rails Actionpack version 8.1.2.1 or later. Alternatively, disable detailed exception pages in development by setting config.considerallrequests_local = false.
There are currently no indications of active exploitation campaigns targeting CVE-2026-33167.
Refer to the official Ruby on Rails security advisories at [https://github.com/rails/rails/security/advisories](https://github.com/rails/rails/security/advisories) for details.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your Gemfile.lock file and we'll tell you instantly if you're affected.