Rubygems · Action Pack · CVE-2026-33167
**Name of the Vulnerable Software and Affected Versions**
Action Pack versions prior to 8.1.2.1
**Description**
Action Pack, a Rubygem for building web applications on the Rails framework, has an issue where the debug exceptions page does not properly escape exception messages. A crafted exception message could inject arbitrary HTML and JavaScript into the page, potentially leading to Cross-Site Scripting (XSS). This impacts applications with detailed exception pages enabled (`config.consider all requests local = true`), which is the default in development.
**Recommendations**
Update to Action Pack version 8.1.2.1 or later.