PT-2026-27255 · Rails+1 · Rails+1
Jhawthorn
·
Published
2026-03-23
·
Updated
2026-05-06
·
CVE-2026-33168
CVSS v2.0
6.4
Medium
| Vector | AV:N/AC:L/Au:N/C:P/I:P/A:N |
Name of the Vulnerable Software and Affected Versions
Rails versions prior to 8.1.2.1
Rails versions prior to 8.0.4.1
Rails versions prior to 7.2.3.1
Description
Action View tag helpers are susceptible to an issue where attribute escaping is bypassed when a blank string is used as an HTML attribute name, resulting in malformed HTML. A specially crafted attribute value could be misinterpreted by the browser as a separate attribute name, potentially leading to cross-site scripting (XSS). Applications that permit users to define custom HTML attributes are at risk.
Recommendations
Update to Rails version 8.1.2.1 or later.
Update to Rails version 8.0.4.1 or later.
Update to Rails version 7.2.3.1 or later.
Exploit
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Rails
Red Os