FKIE_CVE-2026-33168

Vulnerability from fkie_nvd - Published: 2026-03-23 23:17 - Updated: 2026-04-16 14:46
Severity ?
2.3 (Low) - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
Summary
Action View provides conventions and helpers for building web pages with the Rails framework. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, when a blank string is used as an HTML attribute name in Action View tag helpers, the attribute escaping is bypassed, producing malformed HTML. A carefully crafted attribute value could then be misinterpreted by the browser as a separate attribute name, possibly leading to XSS. Applications that allow users to specify custom HTML attributes are affected. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a patch.
References
security-advisories@github.comhttps://github.com/rails/rails/commit/0b6f8002b52b9c606fd6be9e7915d9f944cf539c
security-advisories@github.comhttps://github.com/rails/rails/commit/63f5ad83edaa0b976f82d46988d745426aa4a42d
security-advisories@github.comhttps://github.com/rails/rails/commit/c79a07df1e88738df8f68cb0ee759ad6128ca924
security-advisories@github.comhttps://github.com/rails/rails/releases/tag/v7.2.3.1
security-advisories@github.comhttps://github.com/rails/rails/releases/tag/v8.0.4.1
security-advisories@github.comhttps://github.com/rails/rails/releases/tag/v8.1.2.1
security-advisories@github.comhttps://github.com/rails/rails/security/advisories/GHSA-v55j-83pf-r9cq
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Action View provides conventions and helpers for building web pages with the Rails framework. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, when a blank string is used as an HTML attribute name in Action View tag helpers, the attribute escaping is bypassed, producing malformed HTML. A carefully crafted attribute value could then be misinterpreted by the browser as a separate attribute name, possibly leading to XSS. Applications that allow users to specify custom HTML attributes are affected. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a patch."
    },
    {
      "lang": "es",
      "value": "Action View proporciona convenciones y ayudantes para construir p\u00e1ginas web con el framework Rails. Anteriormente a las versiones 8.1.2.1, 8.0.4.1 y 7.2.3.1, cuando se utiliza una cadena vac\u00eda como nombre de atributo HTML en los ayudantes de etiquetas de Action View, el escape de atributos se omite, produciendo HTML malformado. Un valor de atributo cuidadosamente elaborado podr\u00eda entonces ser malinterpretado por el navegador como un nombre de atributo separado, posiblemente llevando a XSS. Las aplicaciones que permiten a los usuarios especificar atributos HTML personalizados se ven afectadas. Las versiones 8.1.2.1, 8.0.4.1 y 7.2.3.1 contienen un parche."
    }
  ],
  "id": "CVE-2026-33168",
  "lastModified": "2026-04-16T14:46:24.290",
  "metrics": {
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "PRESENT",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 2.3,
          "baseSeverity": "LOW",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "NONE",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "NONE",
          "subIntegrityImpact": "NONE",
          "userInteraction": "PASSIVE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "NONE",
          "vulnConfidentialityImpact": "LOW",
          "vulnIntegrityImpact": "LOW",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-03-23T23:17:12.873",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/rails/rails/commit/0b6f8002b52b9c606fd6be9e7915d9f944cf539c"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/rails/rails/commit/63f5ad83edaa0b976f82d46988d745426aa4a42d"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/rails/rails/commit/c79a07df1e88738df8f68cb0ee759ad6128ca924"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/rails/rails/releases/tag/v7.2.3.1"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/rails/rails/releases/tag/v8.0.4.1"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/rails/rails/releases/tag/v8.1.2.1"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/rails/rails/security/advisories/GHSA-v55j-83pf-r9cq"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.