{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33168", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-17T21:17:08.888Z", "datePublished": "2026-03-23T23:01:22.019Z", "dateUpdated": "2026-03-24T13:36:44.829Z"}, "containers": {"cna": {"title": "Rails has a possible XSS vulnerability in its Action View tag helpers", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 2.3, "baseSeverity": "LOW", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/rails/rails/security/advisories/GHSA-v55j-83pf-r9cq", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/rails/rails/security/advisories/GHSA-v55j-83pf-r9cq"}, {"name": "https://github.com/rails/rails/commit/0b6f8002b52b9c606fd6be9e7915d9f944cf539c", "tags": ["x_refsource_MISC"], "url": "https://github.com/rails/rails/commit/0b6f8002b52b9c606fd6be9e7915d9f944cf539c"}, {"name": "https://github.com/rails/rails/commit/63f5ad83edaa0b976f82d46988d745426aa4a42d", "tags": ["x_refsource_MISC"], "url": "https://github.com/rails/rails/commit/63f5ad83edaa0b976f82d46988d745426aa4a42d"}, {"name": "https://github.com/rails/rails/commit/c79a07df1e88738df8f68cb0ee759ad6128ca924", "tags": ["x_refsource_MISC"], "url": "https://github.com/rails/rails/commit/c79a07df1e88738df8f68cb0ee759ad6128ca924"}, {"name": "https://github.com/rails/rails/releases/tag/v7.2.3.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/rails/rails/releases/tag/v7.2.3.1"}, {"name": "https://github.com/rails/rails/releases/tag/v8.0.4.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/rails/rails/releases/tag/v8.0.4.1"}, {"name": "https://github.com/rails/rails/releases/tag/v8.1.2.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/rails/rails/releases/tag/v8.1.2.1"}], "affected": [{"vendor": "rails", "product": "actionview", "versions": [{"version": ">= 8.1.0.beta1, < 8.1.2.1", "status": "affected"}, {"version": ">= 8.0.0.beta1, < 8.0.4.1", "status": "affected"}, {"version": "< 7.2.3.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-23T23:19:11.173Z"}, "descriptions": [{"lang": "en", "value": "Action View provides conventions and helpers for building web pages with the Rails framework. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, when a blank string is used as an HTML attribute name in Action View tag helpers, the attribute escaping is bypassed, producing malformed HTML. A carefully crafted attribute value could then be misinterpreted by the browser as a separate attribute name, possibly leading to XSS. Applications that allow users to specify custom HTML attributes are affected. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a patch."}], "source": {"advisory": "GHSA-v55j-83pf-r9cq", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-24T13:36:28.555604Z", "id": "CVE-2026-33168", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T13:36:44.829Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33168", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-24T13:36:28.555604Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T13:36:34.900Z"}}], "cna": {"title": "Rails has a possible XSS vulnerability in its Action View tag helpers", "source": {"advisory": "GHSA-v55j-83pf-r9cq", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 2.3, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW"}}], "affected": [{"vendor": "rails", "product": "actionview", "versions": [{"status": "affected", "version": ">= 8.1.0.beta1, < 8.1.2.1"}, {"status": "affected", "version": ">= 8.0.0.beta1, < 8.0.4.1"}, {"status": "affected", "version": "< 7.2.3.1"}]}], "references": [{"url": "https://github.com/rails/rails/security/advisories/GHSA-v55j-83pf-r9cq", "name": "https://github.com/rails/rails/security/advisories/GHSA-v55j-83pf-r9cq", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/rails/rails/commit/0b6f8002b52b9c606fd6be9e7915d9f944cf539c", "name": "https://github.com/rails/rails/commit/0b6f8002b52b9c606fd6be9e7915d9f944cf539c", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/rails/rails/commit/63f5ad83edaa0b976f82d46988d745426aa4a42d", "name": "https://github.com/rails/rails/commit/63f5ad83edaa0b976f82d46988d745426aa4a42d", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/rails/rails/commit/c79a07df1e88738df8f68cb0ee759ad6128ca924", "name": "https://github.com/rails/rails/commit/c79a07df1e88738df8f68cb0ee759ad6128ca924", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/rails/rails/releases/tag/v7.2.3.1", "name": "https://github.com/rails/rails/releases/tag/v7.2.3.1", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/rails/rails/releases/tag/v8.0.4.1", "name": "https://github.com/rails/rails/releases/tag/v8.0.4.1", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/rails/rails/releases/tag/v8.1.2.1", "name": "https://github.com/rails/rails/releases/tag/v8.1.2.1", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Action View provides conventions and helpers for building web pages with the Rails framework. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, when a blank string is used as an HTML attribute name in Action View tag helpers, the attribute escaping is bypassed, producing malformed HTML. A carefully crafted attribute value could then be misinterpreted by the browser as a separate attribute name, possibly leading to XSS. Applications that allow users to specify custom HTML attributes are affected. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a patch."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-23T23:19:11.173Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33168", "state": "PUBLISHED", "dateUpdated": "2026-03-24T13:36:44.829Z", "dateReserved": "2026-03-17T21:17:08.888Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-23T23:01:22.019Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Action View provides conventions and helpers for building web pages with the Rails framework. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, when a blank string is used as an HTML attribute name in Action View tag helpers, the attribute escaping is bypassed, producing malformed HTML. A carefully crafted attribute value could then be misinterpreted by the browser as a separate attribute name, possibly leading to XSS. Applications that allow users to specify custom HTML attributes are affected. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a patch."}, {"lang": "es", "value": "Action View proporciona convenciones y ayudantes para construir p\u00e1ginas web con el framework Rails. Anteriormente a las versiones 8.1.2.1, 8.0.4.1 y 7.2.3.1, cuando se utiliza una cadena vac\u00eda como nombre de atributo HTML en los ayudantes de etiquetas de Action View, el escape de atributos se omite, produciendo HTML malformado. Un valor de atributo cuidadosamente elaborado podr\u00eda entonces ser malinterpretado por el navegador como un nombre de atributo separado, posiblemente llevando a XSS. Las aplicaciones que permiten a los usuarios especificar atributos HTML personalizados se ven afectadas. Las versiones 8.1.2.1, 8.0.4.1 y 7.2.3.1 contienen un parche."}], "id": "CVE-2026-33168", "lastModified": "2026-04-16T14:46:24.290", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 2.3, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-23T23:17:12.873", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/rails/rails/commit/0b6f8002b52b9c606fd6be9e7915d9f944cf539c"}, {"source": "security-advisories@github.com", "url": "https://github.com/rails/rails/commit/63f5ad83edaa0b976f82d46988d745426aa4a42d"}, {"source": "security-advisories@github.com", "url": "https://github.com/rails/rails/commit/c79a07df1e88738df8f68cb0ee759ad6128ca924"}, {"source": "security-advisories@github.com", "url": "https://github.com/rails/rails/releases/tag/v7.2.3.1"}, {"source": "security-advisories@github.com", "url": "https://github.com/rails/rails/releases/tag/v8.0.4.1"}, {"source": "security-advisories@github.com", "url": "https://github.com/rails/rails/releases/tag/v8.1.2.1"}, {"source": "security-advisories@github.com", "url": "https://github.com/rails/rails/security/advisories/GHSA-v55j-83pf-r9cq"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{"bugzilla": {"description": "actionview: Action View: Cross-Site Scripting (XSS) via blank HTML attribute names", "id": "2450549", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2450549"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.4", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "status": "draft"}, "cwe": "CWE-79", "details": ["A flaw was found in Action View, a component of the Rails framework. When a blank string is used as an HTML attribute name in Action View tag helpers, it bypasses attribute escaping, producing malformed HTML. A remote attacker could exploit this by crafting a malicious attribute value, which a web browser might misinterpret as a separate attribute. This could lead to Cross-Site Scripting (XSS), a vulnerability that allows attackers to inject malicious scripts into web pages viewed by other users."], "name": "CVE-2026-33168", "package_state": [{"cpe": "cpe:/a:redhat:red_hat_3scale_amp:2", "fix_state": "Fix deferred", "package_name": "3scale-amp20/system", "product_name": "Red Hat 3scale API Management Platform 2"}, {"cpe": "cpe:/a:redhat:red_hat_3scale_amp:2", "fix_state": "Fix deferred", "package_name": "3scale-amp21/system", "product_name": "Red Hat 3scale API Management Platform 2"}, {"cpe": "cpe:/a:redhat:red_hat_3scale_amp:2", "fix_state": "Fix deferred", "package_name": "3scale-amp21/zync", "product_name": "Red Hat 3scale API Management Platform 2"}, {"cpe": "cpe:/a:redhat:red_hat_3scale_amp:2", "fix_state": "Fix deferred", "package_name": "3scale-amp22/system", "product_name": "Red Hat 3scale API Management Platform 2"}, {"cpe": "cpe:/a:redhat:red_hat_3scale_amp:2", "fix_state": "Fix deferred", "package_name": "3scale-amp22/zync", "product_name": "Red Hat 3scale API Management Platform 2"}, {"cpe": "cpe:/a:redhat:red_hat_3scale_amp:2", "fix_state": "Fix deferred", "package_name": "3scale-amp24/system", "product_name": "Red Hat 3scale API Management Platform 2"}, {"cpe": "cpe:/a:redhat:red_hat_3scale_amp:2", "fix_state": "Fix deferred", "package_name": "3scale-amp24/zync", "product_name": "Red Hat 3scale API Management Platform 2"}, {"cpe": "cpe:/a:redhat:red_hat_3scale_amp:2", "fix_state": "Fix deferred", "package_name": "3scale-amp25/system", "product_name": "Red Hat 3scale API Management Platform 2"}, {"cpe": "cpe:/a:redhat:red_hat_3scale_amp:2", "fix_state": "Fix deferred", "package_name": "3scale-amp25/zync", "product_name": "Red Hat 3scale API Management Platform 2"}, {"cpe": "cpe:/a:redhat:red_hat_3scale_amp:2", "fix_state": "Fix deferred", "package_name": "3scale-amp26/system", "product_name": "Red Hat 3scale API Management Platform 2"}, {"cpe": "cpe:/a:redhat:red_hat_3scale_amp:2", "fix_state": "Fix deferred", "package_name": "3scale-amp26/zync", "product_name": "Red Hat 3scale API Management Platform 2"}, {"cpe": "cpe:/a:redhat:red_hat_3scale_amp:2", "fix_state": "Fix deferred", "package_name": "3scale-amp2/system-rhel7", "product_name": "Red Hat 3scale API Management Platform 2"}, {"cpe": "cpe:/a:redhat:red_hat_3scale_amp:2", "fix_state": "Fix deferred", "package_name": "3scale-amp2/system-rhel8", "product_name": "Red Hat 3scale API Management Platform 2"}, {"cpe": "cpe:/a:redhat:red_hat_3scale_amp:2", "fix_state": "Fix deferred", "package_name": "3scale-amp2/system-rhel9", "product_name": "Red Hat 3scale API Management Platform 2"}, {"cpe": "cpe:/a:redhat:red_hat_3scale_amp:2", "fix_state": "Fix deferred", "package_name": "3scale-amp2/zync-rhel7", "product_name": "Red Hat 3scale API Management Platform 2"}, {"cpe": "cpe:/a:redhat:red_hat_3scale_amp:2", "fix_state": "Fix deferred", "package_name": "3scale-amp2/zync-rhel8", "product_name": "Red Hat 3scale API Management Platform 2"}, {"cpe": "cpe:/a:redhat:red_hat_3scale_amp:2", "fix_state": "Fix deferred", "package_name": "3scale-amp2/zync-rhel9", "product_name": "Red Hat 3scale API Management Platform 2"}], "public_date": "2026-03-23T23:01:22Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-33168\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-33168\nhttps://github.com/rails/rails/commit/0b6f8002b52b9c606fd6be9e7915d9f944cf539c\nhttps://github.com/rails/rails/commit/63f5ad83edaa0b976f82d46988d745426aa4a42d\nhttps://github.com/rails/rails/commit/c79a07df1e88738df8f68cb0ee759ad6128ca924\nhttps://github.com/rails/rails/releases/tag/v7.2.3.1\nhttps://github.com/rails/rails/releases/tag/v8.0.4.1\nhttps://github.com/rails/rails/releases/tag/v8.1.2.1\nhttps://github.com/rails/rails/security/advisories/GHSA-v55j-83pf-r9cq"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[8.1.0.beta1,8.1.2.1)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[8.0.0.beta1,8.0.4.1)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,7.2.3.1)"}}], "enrichment": {"confidence": 84.0, "confidence_source": "matching", "scores": [{"score": 84.0, "source": "matching"}]}, "original": {"product": "actionview", "source": "cna", "vendor": "rails"}, "product": "actionview", "vendor": "rubyonrails"}], "analysis": {"en": {"generated_at": "2026-03-24T03:42:56.134451+00:00", "value": {"mitigation_remediation": ["Update Rails to version 7.2.3.1, 8.0.4.1, or 8.1.2.1 or later.", "If an upgrade is not possible, remove or sanitize any custom attribute names supplied by users in view templates.", "Avoid using tag helpers with empty attribute names in user\u2011controlled contexts.", "Review existing views to ensure no residual vulnerabilities remain."], "summary": {"action": "Patch Now", "impact": "Cross\u2011Site Scripting via malformed HTML attributes in Rails ActionView tag helpers"}, "threat_synthesis": {"affected_systems": "Ruby on Rails applications that use the ActionView component and allow users to supply custom HTML attributes are affected. All Rails 7.2 releases prior to 7.2.3.1, 8.0 releases prior to 8.0.4.1, and 8.1 releases prior to 8.1.2.1 are vulnerable.", "description_and_impact": "Rails Action View provides helpers for generating HTML. When a blank string is supplied as an attribute name, the escaping logic is bypassed, producing malformed markup. A malicious attribute value can be interpreted by the browser as a separate attribute, enabling execution of injected scripts. This flaw is identified as a classic XSS weakness (CWE\u201179).", "risk_and_exploitability": "The CVSS score is 2.3, reflecting low severity, and the vulnerability is not currently listed in the CISA KEV catalog. EPSS data is not available. The risk is primarily limited to applications that permit user\u2011defined attribute names; the attack can be carried out by sending a crafted HTTP request that causes a view to render a tag with an empty attribute name and an attacker\u2011controlled value. The likelihood of exploitation is inferred to be low, but the impact can be significant if the affected application exposes user input directly to view rendering."}}}}, "created": "2026-03-24T10:30:02.236500+00:00", "updated": "2026-03-25T20:36:09.878764+00:00", "vendors": ["rubyonrails", "rubyonrails$PRODUCT$actionview"]}