CVE-2026-33168

Rails has a possible XSS vulnerability in its Action View tag helpers

Description

Action View provides conventions and helpers for building web pages with the Rails framework. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, when a blank string is used as an HTML attribute name in Action View tag helpers, the attribute escaping is bypassed, producing malformed HTML. A carefully crafted attribute value could then be misinterpreted by the browser as a separate attribute name, possibly leading to XSS. Applications that allow users to specify custom HTML attributes are affected. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a patch.

INFO

Published Date :

2026-03-23T23:01:22.019Z

Last Modified :

2026-03-24T13:36:44.829Z

Source :

GitHub_M

AFFECTED PRODUCTS

The following products are affected by CVE-2026-33168 vulnerability.

Vendors	Products
Rubyonrails	Actionview

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-33168.

URL	Resource
https://github.com/rails/rails/commit/0b6f8002b52b9c606fd6be9e7915d9f944cf539c
https://github.com/rails/rails/commit/63f5ad83edaa0b976f82d46988d745426aa4a42d
https://github.com/rails/rails/commit/c79a07df1e88738df8f68cb0ee759ad6128ca924
https://github.com/rails/rails/releases/tag/v7.2.3.1
https://github.com/rails/rails/releases/tag/v8.0.4.1
https://github.com/rails/rails/releases/tag/v8.1.2.1
https://github.com/rails/rails/security/advisories/GHSA-v55j-83pf-r9cq
https://nvd.nist.gov/vuln/detail/CVE-2026-33168
https://www.cve.org/CVERecord?id=CVE-2026-33168