CVE-2026-33168
Publication date 23 March 2026
Last updated 25 March 2026
Ubuntu priority
Description
Action View provides conventions and helpers for building web pages with the Rails framework. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, when a blank string is used as an HTML attribute name in Action View tag helpers, the attribute escaping is bypassed, producing malformed HTML. A carefully crafted attribute value could then be misinterpreted by the browser as a separate attribute name, possibly leading to XSS. Applications that allow users to specify custom HTML attributes are affected. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a patch.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| rails | 25.10 questing |
Needs evaluation
|
| 24.04 LTS noble |
Needs evaluation
|
|
| 22.04 LTS jammy |
Needs evaluation
|
|
| 20.04 LTS focal |
Needs evaluation
|
|
| 18.04 LTS bionic |
Needs evaluation
|
|
| 16.04 LTS xenial |
Needs evaluation
|
Notes
seth-arnold
In Oneiric-Saucy, rails package is just for transition; The rails package contains actual code from vivid onward
References
Other references
- https://www.cve.org/CVERecord?id=CVE-2026-33168
- https://github.com/rails/rails/commit/0b6f8002b52b9c606fd6be9e7915d9f944cf539c
- https://github.com/rails/rails/commit/63f5ad83edaa0b976f82d46988d745426aa4a42d
- https://github.com/rails/rails/commit/c79a07df1e88738df8f68cb0ee759ad6128ca924
- https://github.com/rails/rails/releases/tag/v7.2.3.1
- https://github.com/rails/rails/releases/tag/v8.0.4.1
- https://github.com/rails/rails/releases/tag/v8.1.2.1
- https://github.com/rails/rails/security/advisories/GHSA-v55j-83pf-r9cq