Home

Description

Action View provides conventions and helpers for building web pages with the Rails framework. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, when a blank string is used as an HTML attribute name in Action View tag helpers, the attribute escaping is bypassed, producing malformed HTML. A carefully crafted attribute value could then be misinterpreted by the browser as a separate attribute name, possibly leading to XSS. Applications that allow users to specify custom HTML attributes are affected. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a patch.

PUBLISHED Reserved 2026-03-17 | Published 2026-03-23 | Updated 2026-03-24 | Assigner GitHub_M




LOW: 2.3CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Product status

>= 8.1.0.beta1, < 8.1.2.1
affected

>= 8.0.0.beta1, < 8.0.4.1
affected

< 7.2.3.1
affected

References

github.com/.../rails/security/advisories/GHSA-v55j-83pf-r9cq

github.com/...ommit/0b6f8002b52b9c606fd6be9e7915d9f944cf539c

github.com/...ommit/63f5ad83edaa0b976f82d46988d745426aa4a42d

github.com/...ommit/c79a07df1e88738df8f68cb0ee759ad6128ca924

github.com/rails/rails/releases/tag/v7.2.3.1

github.com/rails/rails/releases/tag/v8.0.4.1

github.com/rails/rails/releases/tag/v8.1.2.1

cve.org (CVE-2026-33168)

nvd.nist.gov (CVE-2026-33168)

Download JSON