CVE-2026-33167

Name of the Vulnerable Software and Affected Versions Action Pack versions prior to 8.1.2.1

Description Action Pack, a Rubygem for building web applications on the Rails framework, has an issue where the debug exceptions page does not properly escape exception messages. A crafted exception message could inject arbitrary HTML and JavaScript into the page, potentially leading to Cross-Site Scripting (XSS). This impacts applications with detailed exception pages enabled (config.consider all requests local = true), which is the default in development.

Recommendations Update to Action Pack version 8.1.2.1 or later.