Security Advisory

CVE-2026-33170

CVE vulnerability detail — eXtreme Datacenter Security Operations

Published 2026-03-23 23:09:48

Last updated 2026-03-25 19:20:28

Assigner GitHub_M

State PUBLISHED

Description

Active Support is a toolkit of support libraries and Ruby core extensions extracted from the Rails framework. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, `SafeBuffer#%` does not propagate the `@html_unsafe` flag to the newly created buffer. If a `SafeBuffer` is mutated in place (e.g. via `gsub!`) and then formatted with `%` using untrusted arguments, the result incorrectly reports `html_safe? == true`, bypassing ERB auto-escaping and possibly leading to XSS. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a patch.

← Browse all CVEs View on cve.org ↗