Cross Site Scripting

Active Support is vulnerable to Cross Site Scripting. The vulnerability is due to SafeBuffer% not propagating the @htmlunsafe flag to the newly created buffer, where a SafeBuffer is mutated in place and then formatted with % using untrusted arguments, and the result incorrectly reports htmlsafe? ...

SUSE CVE-2026-33170

Active Support is a toolkit of support libraries and Ruby core extensions extracted from the Rails framework. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, SafeBuffer% does not propagate the @htmlunsafe flag to the newly created buffer. If a SafeBuffer is mutated in place e.g. via gsub! and th...

Linux Distros Unpatched Vulnerability : CVE-2026-33170

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Active Support is a toolkit of support libraries and Ruby core extensions extracted from the Rails framework. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1,...

CVE-2026-33170

A flaw was found in Active Support, a toolkit of support libraries for the Rails framework. When a SafeBuffer is modified in place and subsequently formatted with untrusted input, the @htmlunsafe flag is not correctly propagated. This improper handling causes the buffer to incorrectly report as...

CVE-2026-33170

Active Support is a toolkit of support libraries and Ruby core extensions extracted from the Rails framework. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, SafeBuffer% does not propagate the @htmlunsafe flag to the newly created buffer. If a SafeBuffer is mutated in place e.g. via gsub! and th...

UBUNTU-CVE-2026-33170

Active Support is a toolkit of support libraries and Ruby core extensions extracted from the Rails framework. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, SafeBuffer% does not propagate the @htmlunsafe flag to the newly created buffer. If a SafeBuffer is mutated in place e.g. via gsub! and th...

CVE-2026-33170

Active Support is a toolkit of support libraries and Ruby core extensions extracted from the Rails framework. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, SafeBuffer% does not propagate the @htmlunsafe flag to the newly created buffer. If a SafeBuffer is mutated in place e.g. via gsub! and th...

CVE-2026-33170

Active Support is a toolkit of support libraries and Ruby core extensions extracted from the Rails framework. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, SafeBuffer% does not propagate the @htmlunsafe flag to the newly created buffer. If a SafeBuffer is mutated in place e.g. via gsub! and th...

Rails Active Support has a possible XSS vulnerability in SafeBuffer#%

Impact SafeBuffer% does not propagate the @htmlunsafe flag to the newly created buffer. If a SafeBuffer is mutated in place e.g. via gsub! and then formatted with % using untrusted arguments, the result incorrectly reports htmlsafe? == true, bypassing ERB auto-escaping and possibly leading to XSS...

PT-2026-27257

Name of the Vulnerable Software and Affected Versions Active Support versions prior to 8.1.2.1 Active Support versions prior to 8.0.4.1 Active Support versions prior to 7.2.3.1 Description The SafeBuffer% function does not correctly propagate the @html unsafe flag to newly created buffers. If a...

Rails 跨站脚本漏洞

Rails is an open-source web application framework based on the Ruby language, developed by the Rails team in the United States. Versions of Rails Active Support prior to 8.1.2.1, 8.0.4.1, and 7.2.3.1 contained a cross-site scripting vulnerability. This vulnerability stemmed from the lack of...

Rails Active Support has a possible XSS vulnerability in SafeBuffer#%

Impact SafeBuffer% does not propagate the @htmlunsafe flag to the newly created buffer. If a SafeBuffer is mutated in place e.g. via gsub! and then formatted with % using untrusted arguments, the result incorrectly reports htmlsafe? == true, bypassing ERB auto-escaping and possibly leading to XSS...

OESA-2024-1798 rubygem-activesupport security update

A toolkit of support libraries and Ruby core extensions extracted from the Rails framework. Rich support for multibyte strings, internationalization, time zones, and testing. Security Fixes: A Cross-Site-Scripting vulnerability was found in rubygem ActiveSupport. If the new bytesplice method is...

SUSE CVE-2023-28120

There is a vulnerability in ActiveSupport if the new bytesplice method is called on a SafeBuffer with untrusted user input...

Cross-site Scripting (XSS)

Overview activesupport is a toolkit of support libraries and Ruby core extensions extracted from the Rails framework. Affected versions of this package are vulnerable to Cross-site Scripting XSS when using the SafeBufferbytesplice function, the output of which is not treated as mutated and...

SUSE CVE-2012-1098

Cross-site scripting XSS vulnerability in Ruby on Rails 3.0.x before 3.0.12, 3.1.x before 3.1.4, and 3.2.x before 3.2.2 allows remote attackers to inject arbitrary web script or HTML via vectors involving a SafeBuffer object that is manipulated through certain methods...

DEBIAN-CVE-2012-1098

Cross-site scripting XSS vulnerability in Ruby on Rails 3.0.x before 3.0.12, 3.1.x before 3.1.4, and 3.2.x before 3.2.2 allows remote attackers to inject arbitrary web script or HTML via vectors involving a SafeBuffer object that is manipulated through certain methods...