PT-2026-27255 · Rails+1 · Rails+1
Jhawthorn
·
Publicado
2026-03-23
·
Atualizado
2026-05-06
·
CVE-2026-33168
CVSS v2.0
6.4
Média
| Vetor | AV:N/AC:L/Au:N/C:P/I:P/A:N |
Name of the Vulnerable Software and Affected Versions
Rails versions prior to 8.1.2.1
Rails versions prior to 8.0.4.1
Rails versions prior to 7.2.3.1
Description
Action View tag helpers are susceptible to an issue where attribute escaping is bypassed when a blank string is used as an HTML attribute name, resulting in malformed HTML. A specially crafted attribute value could be misinterpreted by the browser as a separate attribute name, potentially leading to cross-site scripting (XSS). Applications that permit users to define custom HTML attributes are at risk.
Recommendations
Update to Rails version 8.1.2.1 or later.
Update to Rails version 8.0.4.1 or later.
Update to Rails version 7.2.3.1 or later.
Exploit
Correção
XSS
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Rails
Red Os