GHSA-pgm4-439c-5jp6

Source

https://github.com/advisories/GHSA-pgm4-439c-5jp6

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-pgm4-439c-5jp6/GHSA-pgm4-439c-5jp6.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-pgm4-439c-5jp6

Aliases

CVE-2026-33167

Related

CGA-c97h-38xv-957r

Published

2026-03-23T20:45:15Z

Modified

2026-03-25T21:03:43.046356Z

Severity

1.3 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X CVSS Calculator

Summary

Rails has a possible XSS vulnerability in its Action Pack debug exceptions

Details

Impact

The debug exceptions page does not properly escape exception messages. A carefully crafted exception message could inject arbitrary HTML and JavaScript into the page, leading to XSS. This affects applications with detailed exception pages enabled (config.consider_all_requests_local = true), which is the default in development.

Releases

The fixed releases are available at the normal locations.

Database specific

{
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-79"
    ],
    "nvd_published_at": "2026-03-23T23:17:12Z",
    "github_reviewed_at": "2026-03-23T20:45:15Z",
    "severity": "LOW"
}

References

Affected packages

RubyGems / actionpack

Package

Name: actionpack
Purl: pkg:gem/actionpack

Affected ranges

Type: ECOSYSTEM
Events: Introduced

8.1.0

Fixed

8.1.2.1

Affected versions

8.*

8.1.0

8.1.1

8.1.2

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-pgm4-439c-5jp6/GHSA-pgm4-439c-5jp6.json"