Web Application Vulnerabilities Runtime SCA Findings
Looking for the vulnerability index of Invicti's legacy products?
Invicti Enterprise Acunetix Standard & Premium
Ruby on Rails Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) Vulnerability - CVE-2026-33170 - Vulnerability Database
Ruby on Rails

Ruby on Rails Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) Vulnerability - CVE-2026-33170

Medium
Reference: CVE-2026-33170
NVD Link: https://nvd.nist.gov/vuln/detail/CVE-2026-33170
Title: Ruby on Rails Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) Vulnerability
Overview:

Active Support is a toolkit of support libraries and Ruby core extensions extracted from the Rails framework. Prior to versions 8.1.2.1 8.0.4.1 and 7.2.3.1 SafeBuffer does not propagate the html_unsafe flag to the newly created buffer. If a SafeBuffer is mutated in place (e.g. via gsub) and then formatted with using untrusted arguments the result incorrectly reports html_safe true bypassing ERB auto-escaping and possibly leading to XSS. Versions 8.1.2.1 8.0.4.1 and 7.2.3.1 contain a patch.