CVE-2026-33168 in actionviewinfo

Summary

by MITRE • 03/24/2026

Action View provides conventions and helpers for building web pages with the Rails framework. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, when a blank string is used as an HTML attribute name in Action View tag helpers, the attribute escaping is bypassed, producing malformed HTML. A carefully crafted attribute value could then be misinterpreted by the browser as a separate attribute name, possibly leading to XSS. Applications that allow users to specify custom HTML attributes are affected. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a patch.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 05/28/2026

This vulnerability exists within the Action View component of the Ruby on Rails framework, which serves as a fundamental building block for web page construction in Rails applications. The flaw manifests when developers utilize blank strings as HTML attribute names within Action View tag helpers, creating a condition where the standard HTML attribute escaping mechanism fails to properly sanitize the input. This represents a classic input validation and output encoding issue that has been classified under CWE-116 as improper encoding or escaping of output, specifically within the context of HTML attribute handling.

The technical exploitation of this vulnerability occurs through the bypass of HTML attribute escaping when blank strings are used as attribute names in Rails tag helpers. When a blank string is passed as an attribute name, the framework fails to properly escape the subsequent attribute value, allowing potentially malicious input to be interpreted by web browsers as legitimate HTML attributes. This malformed HTML construction creates a vector for cross-site scripting attacks, where an attacker could craft an attribute value that the browser misinterprets as a separate attribute name, effectively injecting malicious code into the rendered web page. The vulnerability directly aligns with ATT&CK technique T1203, which covers exploitation of web application vulnerabilities for code execution.

Applications affected by this vulnerability include any Rails-based web applications that permit user input to specify custom HTML attributes through Action View helpers, particularly those that dynamically generate HTML content based on user-provided data. The impact extends beyond simple XSS payloads to potentially enable more sophisticated attacks including session hijacking, credential theft, and malicious redirection. The vulnerability is particularly dangerous in contexts where users can influence HTML generation, such as content management systems, user profile customization features, or any application allowing HTML attribute manipulation through user input.

The patch implemented in versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 addresses this issue by strengthening the HTML attribute escaping logic to properly handle blank string attribute names. This fix ensures that all attribute values are correctly escaped regardless of whether the attribute name is blank or contains special characters. Organizations should immediately upgrade their Rails applications to these patched versions to mitigate the risk of XSS exploitation. Additional defensive measures include implementing strict input validation for HTML attributes, sanitizing all user-provided HTML content, and employing content security policies to limit the impact of potential XSS attacks. The vulnerability demonstrates the critical importance of proper HTML escaping in web frameworks and highlights the need for comprehensive security testing of template rendering components.

Responsible

GitHub M

Reservation

03/17/2026

Disclosure

03/24/2026

Moderation

accepted

CPE

ready

EPSS

0.00516

KEV

no

Activities

very low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!