CVE-2026-33170
Received Received - Intake

XSS Vulnerability in Active Support SafeBuffer Formatting

Vulnerability report for CVE-2026-33170, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-03-24

Last updated on: 2026-03-24

Assigner: GitHub, Inc.

Description

Active Support is a toolkit of support libraries and Ruby core extensions extracted from the Rails framework. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, `SafeBuffer#%` does not propagate the `@html_unsafe` flag to the newly created buffer. If a `SafeBuffer` is mutated in place (e.g. via `gsub!`) and then formatted with `%` using untrusted arguments, the result incorrectly reports `html_safe? == true`, bypassing ERB auto-escaping and possibly leading to XSS. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a patch.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-03-24
Last Modified
2026-03-24
Generated
2026-07-06
AI Q&A
2026-03-24
EPSS Evaluated
2026-07-05
NVD

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
rubyonrails rails to 7.2.3.1 (exc)
rubyonrails rails From 8.0.0 (inc) to 8.0.4.1 (exc)
rubyonrails rails From 8.1.0 (inc) to 8.1.2.1 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-33170 is a cross-site scripting (XSS) vulnerability in the SafeBuffer#% method of the Active Support component in Ruby on Rails. The issue occurs because the method fails to propagate the @html_unsafe flag to the newly created buffer after formatting. If a SafeBuffer object is mutated in place (e.g., using gsub!) and then formatted with the % operator using untrusted input, the resulting buffer incorrectly reports html_safe? as true. This misreporting bypasses ERB's automatic HTML escaping, potentially allowing malicious scripts to be injected and executed."}, {'type': 'paragraph', 'content': 'The vulnerability affects versions of the activesupport Ruby gem before 8.1.2.1, 8.0.4.1, and 7.2.3.1, which contain patches that fix this issue by ensuring the unsafe status of buffers is preserved during formatting operations.'}] [1]

Impact Analysis

[{'type': 'paragraph', 'content': "This vulnerability can lead to cross-site scripting (XSS) attacks in applications using affected versions of Ruby on Rails. Because the SafeBuffer#% method incorrectly marks unsafe buffers as safe after formatting, malicious input may bypass ERB's automatic HTML escaping."}, {'type': 'paragraph', 'content': 'As a result, attackers could inject and execute arbitrary scripts in the context of the affected web application, potentially compromising user data, session information, or performing unauthorized actions on behalf of users.'}] [1]

Compliance Impact

I don't know

Detection Guidance

This vulnerability is related to the Ruby on Rails Active Support component, specifically the SafeBuffer#% method mishandling the HTML safety flag during string formatting. Detection involves identifying if your application uses vulnerable versions of the activesupport Ruby gem (versions >= 8.1 and < 8.1.2.1, >= 8.0 and < 8.0.4.1, or < 7.2.3.1).

To detect if your system is vulnerable, you can check the installed version of the activesupport gem by running the following command in your application environment:

  • gem list activesupport

If the version falls within the vulnerable ranges, your system is susceptible to this issue.

Additionally, you can audit your application code for usage of the SafeBuffer#% method combined with in-place mutations like gsub! and untrusted input formatting, which could lead to XSS vulnerabilities.

Mitigation Strategies

The primary mitigation step is to upgrade the activesupport Ruby gem to a patched version where this vulnerability is fixed.

  • Upgrade to activesupport version 8.1.2.1 or later if you are on the 8.1 series.
  • Upgrade to activesupport version 8.0.4.1 or later if you are on the 8.0 series.
  • Upgrade to activesupport version 7.2.3.1 or later if you are on the 7.x series.

These updates ensure that the SafeBuffer#% method correctly preserves the HTML safety status of buffers after formatting, preventing unsafe buffers from being mistakenly treated as safe and mitigating potential XSS risks.

If immediate upgrading is not possible, review and sanitize any untrusted input used in string formatting operations involving SafeBuffer, and avoid in-place mutations like gsub! on SafeBuffer instances before formatting.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33170. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart