Platform
ruby
Component
actionpack
Opgelost in
8.1.1
8.1.2.1
CVE-2026-33167 is a cross-site scripting (XSS) vulnerability discovered in Ruby on Rails Actionpack versions up to 8.1.2. An attacker can inject malicious HTML and JavaScript code into the debug exceptions page by crafting a specific exception message. This vulnerability primarily impacts development environments where detailed exception pages are enabled (config.considerallrequests_local = true) and can lead to information disclosure or further exploitation. The vulnerability is fixed in version 8.1.2.1.
The primary impact of CVE-2026-33167 is the potential for cross-site scripting (XSS) within the Rails application's debug exceptions page. An attacker who can trigger an exception with a specially crafted message can inject arbitrary HTML and JavaScript code. This code will then be executed in the context of the user's browser when they view the exception page. This could allow an attacker to steal session cookies, redirect users to malicious websites, or deface the application. The vulnerability's scope is limited to development environments where detailed exception pages are enabled, which is the default configuration. Exploitation requires the ability to trigger an exception, which might be achieved through input manipulation or by exploiting other vulnerabilities within the application.
This vulnerability was responsibly reported by Hackerone researcher [fbettag]. The vulnerability is rated as LOW severity according to CVSS. No public proof-of-concept (PoC) code has been publicly released as of the publication date. There are no indications of active exploitation campaigns targeting this vulnerability. The CVE was published on 2026-03-23.
Development teams using Ruby on Rails versions 8.1.2 and earlier are at risk. Specifically, applications configured with detailed exception pages enabled in development environments are particularly vulnerable. This includes developers working on new Rails projects or maintaining existing ones.
• ruby / server:
grep -r "config.consider_all_requests_local = true" config/environments/*.rb• ruby / application code:
grep -r "exception_app.html.erb" app/views/exceptions/disclosure
patch
Exploit Status
EPSS
0.02% (5% percentiel)
CISA SSVC
The primary mitigation for CVE-2026-33167 is to upgrade to Ruby on Rails Actionpack version 8.1.2.1 or later, which contains the fix. If upgrading is not immediately feasible, consider disabling detailed exception pages in development environments by setting config.considerallrequests_local = false in your Rails application configuration. This will prevent the vulnerable exception page from being displayed. As a temporary workaround, you could implement input validation and sanitization to prevent the injection of malicious characters into exception messages, although this is not a complete solution. After upgrading, confirm the fix by attempting to trigger an exception with a crafted message and verifying that the output is properly escaped.
Werk de Action Pack gema bij naar versie 8.1.2.1 of hoger. Dit zal de XSS-kwetsbaarheid in de debug exceptions pagina oplossen. Zorg ervoor dat gedetailleerde exception pagina's zijn ingeschakeld (`config.consider_all_requests_local = true`) alleen in development omgevingen.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2026-33167 is a cross-site scripting (XSS) vulnerability in Ruby on Rails Actionpack versions up to 8.1.2, allowing attackers to inject malicious code via crafted exception messages.
You are affected if you are using Ruby on Rails Actionpack version 8.1.2 or earlier and have detailed exception pages enabled in your development environment.
Upgrade to Ruby on Rails Actionpack version 8.1.2.1 or later. Alternatively, disable detailed exception pages in development by setting config.considerallrequests_local = false.
There are currently no indications of active exploitation campaigns targeting CVE-2026-33167.
Refer to the official Ruby on Rails security advisories at [https://github.com/rails/rails/security/advisories](https://github.com/rails/rails/security/advisories) for details.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je Gemfile.lock-bestand en we vertellen je direct of je getroffen bent.