This vulnerability, tracked as CVE-2026-33170, affects the ActiveSupport component of the Ruby on Rails framework, specifically the SafeBuffer class used for handling HTML-safe strings. SafeBuffer is designed to prevent cross-site scripting by marking strings as html_safe or unsafe, controlling whether ERB templates auto-escape content. Prior to the patched versions (8.1.2.1, 8.0.4.1, 7.2.3.1), the SafeBuffer#% method fails to propagate the @html_unsafe flag when the buffer is mutated in place (e.g., via destructive methods like gsub!) and then formatted with the % operator using untrusted input. This results in the output being incorrectly flagged as html_safe, causing ERB to skip escaping. Consequently, malicious input can be injected into web pages, leading to reflected or stored XSS attacks. The vulnerability does not require authentication but does require user interaction, such as visiting a crafted URL or submitting malicious input. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges required, user interaction needed, and limited impact on confidentiality and integrity, with no impact on availability. No known exploits are currently reported in the wild. The issue is fixed by ensuring the @html_unsafe flag is correctly propagated in the SafeBuffer#% method in the patched versions.

The primary impact of this vulnerability is the potential for cross-site scripting attacks, which can allow attackers to execute arbitrary JavaScript in the context of affected web applications. This can lead to session hijacking, credential theft, defacement, or redirection to malicious sites. Organizations using vulnerable versions of Rails ActiveSupport in web applications risk exposing their users to these attacks, potentially damaging reputation and user trust. Since Rails is widely used for web development globally, the scope is broad. The vulnerability affects confidentiality and integrity partially but does not impact availability. Exploitation requires user interaction, which may limit automated widespread exploitation but targeted attacks remain a concern. The medium CVSS score reflects moderate risk, but the ease of patching and availability of fixes reduce long-term exposure if promptly addressed.

Organizations should immediately upgrade to the patched versions of Rails ActiveSupport: 8.1.2.1 or later, 8.0.4.1 or later, or 7.2.3.1 or later, depending on their current version. If upgrading is not immediately feasible, review and audit any usage of SafeBuffer and string formatting in the application code to identify unsafe patterns, especially where destructive mutations and formatting with untrusted input occur. Implement additional input validation and sanitization on user-supplied data before it reaches formatting functions. Employ Content Security Policy (CSP) headers to mitigate the impact of potential XSS by restricting script execution sources. Conduct thorough testing of web applications to detect any XSS vulnerabilities, including automated scanning and manual penetration testing focused on input handling and output encoding. Monitor security advisories for any emerging exploit reports and apply patches promptly. Avoid relying solely on framework auto-escaping and consider defense-in-depth strategies for output encoding.