This vulnerability, identified as CVE-2026-33170, affects the ActiveSupport component of the Ruby on Rails framework, which provides core extensions and support libraries. The issue lies in the SafeBuffer class, which is designed to handle HTML-safe strings to prevent cross-site scripting (XSS) by marking strings as safe or unsafe for HTML rendering. Prior to the patched versions (8.1.2.1, 8.0.4.1, and 7.2.3.1), when a SafeBuffer instance is mutated in place using methods like gsub! and then formatted with the % operator using untrusted input, the internal @html_unsafe flag is not correctly propagated to the new buffer. Consequently, the resulting string incorrectly reports html_safe? as true, causing ERB templates to skip auto-escaping. This flaw allows attackers to inject malicious scripts into web pages, leading to XSS attacks. The vulnerability does not require authentication but does require user interaction (e.g., a victim visiting a crafted URL or submitting malicious input). The flaw is rooted in improper neutralization of input during web page generation, classified under CWE-79. Although no known exploits are currently reported in the wild, the risk remains significant due to the widespread use of Rails in web applications. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges required, user interaction required, and low impact on integrity, with no impact on confidentiality or availability. The patch fixes the propagation of the @html_unsafe flag to ensure that mutated SafeBuffer instances are correctly marked unsafe when appropriate, restoring proper auto-escaping behavior.

The primary impact of this vulnerability is the potential for cross-site scripting (XSS) attacks, which can lead to the execution of arbitrary JavaScript in the context of a vulnerable web application. This can result in session hijacking, credential theft, defacement, or redirection to malicious sites. Since Rails is widely used for web application development globally, many organizations could be affected if they use vulnerable versions of ActiveSupport. The vulnerability can be exploited remotely without authentication but requires user interaction, such as clicking a malicious link or submitting crafted input. The impact on confidentiality and availability is minimal, but the integrity of the web content and user trust can be significantly compromised. Exploitation could also facilitate further attacks such as phishing or malware distribution. Organizations relying on vulnerable Rails versions for customer-facing applications or internal tools are at risk of reputational damage and potential regulatory consequences if user data is compromised.

Organizations should immediately upgrade to the patched versions of ActiveSupport: 8.1.2.1, 8.0.4.1, or 7.2.3.1 or later. In addition to upgrading, developers should audit their codebases for any in-place mutations of SafeBuffer objects followed by formatting with the % operator, especially when untrusted input is involved. Avoid mutating SafeBuffer instances in place or ensure that any such mutations do not bypass HTML escaping mechanisms. Implement strict input validation and sanitization on all user-supplied data before it reaches the rendering layer. Employ Content Security Policy (CSP) headers to mitigate the impact of potential XSS attacks by restricting script execution sources. Conduct thorough security testing, including automated scanning and manual code reviews focused on template rendering and string handling. Monitor application logs for unusual input patterns or errors related to string formatting. Finally, educate developers about safe handling of HTML-safe strings and the risks of bypassing Rails' built-in escaping.