{"id":"CVE-2024-26143","summary":"Rails Possible XSS Vulnerability in Action Controller","details":"Rails is a web-application framework. There is a possible XSS vulnerability when using the translation helpers in Action Controller. Applications using translation methods like translate, or t on a controller, with a key ending in \"_html\", a :default key which contains untrusted user input, and the resulting string is used in a view, may be susceptible to an XSS vulnerability. The vulnerability is fixed in 7.1.3.1 and 7.0.8.1.","aliases":["BIT-rails-2024-26143","GHSA-9822-6m93-xqf4"],"modified":"2026-04-10T05:10:54.750912Z","published":"2024-02-27T15:33:54.643Z","related":["openSUSE-SU-2024:14067-1","openSUSE-SU-2024:14074-1","openSUSE-SU-2025:15110-1","openSUSE-SU-2025:15124-1"],"database_specific":{"cwe_ids":["CWE-79"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/26xxx/CVE-2024-26143.json","cna_assigner":"GitHub_M"},"references":[{"type":"WEB","url":"https://discuss.rubyonrails.org/t/possible-xss-vulnerability-in-action-controller/84947"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/26xxx/CVE-2024-26143.json"},{"type":"ADVISORY","url":"https://github.com/rails/rails/security/advisories/GHSA-9822-6m93-xqf4"},{"type":"ADVISORY","url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-26143.yml"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-26143"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20240510-0004/"},{"type":"FIX","url":"https://github.com/rails/rails/commit/4c83b331092a79d58e4adffe4be5f250fa5782cc"},{"type":"FIX","url":"https://github.com/rails/rails/commit/5187a9ef51980ad1b8e81945ebe0462d28f84f9e"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/rails/rails","events":[{"introduced":"984c3ef2775781d47efa9f541ce570daa2434a80"},{"fixed":"506462ab13755d9f024e1ddbfc8c58d73e7a1bce"}],"database_specific":{"versions":[{"introduced":"7.0.0"},{"fixed":"7.0.8.1"}]}},{"type":"GIT","repo":"https://github.com/rails/rails","events":[{"introduced":"d39db5d1891f7509cde2efc425c9d69bbb77e670"},{"fixed":"d73ed958dc91d6b8cbb0bef7b4cdcfc013bd876f"}],"database_specific":{"versions":[{"introduced":"7.1.0"},{"fixed":"7.1.3.1"}]}}],"versions":["v7.0.0","v7.0.1","v7.0.2","v7.0.3","v7.0.4","v7.0.5","v7.0.6","v7.0.7","v7.0.8","v7.1.0","v7.1.1","v7.1.2","v7.1.3"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-26143.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}