{"$ref":"https://www.cert.ssi.gouv.fr/openapi.json","affected_systems":[{"description":"activestorage versions 8.0.x ant\u00e9rieures \u00e0 8.0.4.1","product":{"name":"activestorage","vendor":{"name":"Ruby on Rails","scada":false}}},{"description":"activesupport versions ant\u00e9rieures \u00e0 7.2.3.1","product":{"name":"activesupport","vendor":{"name":"Ruby on Rails","scada":false}}},{"description":"actionview versions 8.0.x ant\u00e9rieures \u00e0 8.0.4.1","product":{"name":"actionview","vendor":{"name":"Ruby on Rails","scada":false}}},{"description":"actionpack versions 8.1.x ant\u00e9rieures \u00e0 8.1.2.1","product":{"name":"actionpack","vendor":{"name":"Ruby on Rails","scada":false}}},{"description":"activesupport versions 8.1.x ant\u00e9rieures \u00e0 8.1.2.1","product":{"name":"activesupport","vendor":{"name":"Ruby on Rails","scada":false}}},{"description":"actionview versions 8.1.x ant\u00e9rieures \u00e0 8.1.2.1","product":{"name":"actionview","vendor":{"name":"Ruby on Rails","scada":false}}},{"description":"actionview versions ant\u00e9rieures \u00e0 7.2.3.1","product":{"name":"actionview","vendor":{"name":"Ruby on Rails","scada":false}}},{"description":"activestorage versions ant\u00e9rieures \u00e0 7.2.3.1","product":{"name":"activestorage","vendor":{"name":"Ruby on Rails","scada":false}}},{"description":"activesupport versions 8.0.x ant\u00e9rieures \u00e0 8.0.4.1","product":{"name":"activesupport","vendor":{"name":"Ruby on Rails","scada":false}}},{"description":"activestorage versions 8.1.x ant\u00e9rieures \u00e0 8.1.2.1","product":{"name":"activestorage","vendor":{"name":"Ruby on Rails","scada":false}}}],"affected_systems_content":"","content":"## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l'\u00e9diteur pour l'obtention des correctifs (cf. section Documentation).","cves":[{"name":"CVE-2026-33202","url":"https://www.cve.org/CVERecord?id=CVE-2026-33202"},{"name":"CVE-2026-33168","url":"https://www.cve.org/CVERecord?id=CVE-2026-33168"},{"name":"CVE-2026-33658","url":"https://www.cve.org/CVERecord?id=CVE-2026-33658"},{"name":"CVE-2026-33169","url":"https://www.cve.org/CVERecord?id=CVE-2026-33169"},{"name":"CVE-2026-33195","url":"https://www.cve.org/CVERecord?id=CVE-2026-33195"},{"name":"CVE-2026-33173","url":"https://www.cve.org/CVERecord?id=CVE-2026-33173"},{"name":"CVE-2026-33176","url":"https://www.cve.org/CVERecord?id=CVE-2026-33176"},{"name":"CVE-2026-33174","url":"https://www.cve.org/CVERecord?id=CVE-2026-33174"},{"name":"CVE-2026-33167","url":"https://www.cve.org/CVERecord?id=CVE-2026-33167"},{"name":"CVE-2026-33170","url":"https://www.cve.org/CVERecord?id=CVE-2026-33170"}],"links":[],"reference":"CERTFR-2026-AVI-0349","revisions":[{"description":"Version initiale","revision_date":"2026-03-24T00:00:00.000000"},{"description":"Correction des r\u00e9f\u00e9rences CVE","revision_date":"2026-03-24T00:00:00.000000"}],"risks":[{"description":"D\u00e9ni de service \u00e0 distance"},{"description":"Injection de code indirecte \u00e0 distance (XSS)"},{"description":"Ex\u00e9cution de code arbitraire \u00e0 distance"},{"description":"Atteinte \u00e0 l'int\u00e9grit\u00e9 des donn\u00e9es"},{"description":"Contournement de la politique de s\u00e9curit\u00e9"}],"summary":"De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits Ruby on Rails. Certaines d'entre elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance, un d\u00e9ni de service \u00e0 distance et une atteinte \u00e0 l'int\u00e9grit\u00e9 des donn\u00e9es.","title":"Multiples vuln\u00e9rabilit\u00e9s dans Ruby on Rails","vendor_advisories":[{"published_at":"2026-03-23","title":"Bulletin de s\u00e9curit\u00e9 Ruby on Rails 90912","url":"https://discuss.rubyonrails.org/t/cve-2026-33168-possible-xss-vulnerability-in-action-view-tag-helpers/90912"},{"published_at":"2026-03-23","title":"Bulletin de s\u00e9curit\u00e9 Ruby on Rails 90911","url":"https://discuss.rubyonrails.org/t/cve-2026-33169-possible-redos-vulnerability-in-number-to-delimited-in-active-support/90911"},{"published_at":"2026-03-23","title":"Bulletin de s\u00e9curit\u00e9 Ruby on Rails 90910","url":"https://discuss.rubyonrails.org/t/cve-2026-33170-possible-xss-vulnerability-in-safebuffer-in-active-support/90910"},{"published_at":"2026-03-23","title":"Bulletin de s\u00e9curit\u00e9 Ruby on Rails 90913","url":"https://discuss.rubyonrails.org/t/cve-2026-33167-possible-xss-vulnerability-in-action-pack-debug-exceptions/90913"},{"published_at":"2026-03-23","title":"Bulletin de s\u00e9curit\u00e9 Ruby on Rails 90906","url":"https://discuss.rubyonrails.org/t/cve-2026-33658-possible-dos-vulnerability-in-active-storage-proxy-mode-via-multi-range-requests/90906"},{"published_at":"2026-03-23","title":"Bulletin de s\u00e9curit\u00e9 Ruby on Rails 90908","url":"https://discuss.rubyonrails.org/t/cve-2026-33174-possible-dos-vulnerability-in-active-storage-proxy-mode-via-range-requests/90908"},{"published_at":"2026-03-23","title":"Bulletin de s\u00e9curit\u00e9 Ruby on Rails 90903","url":"https://discuss.rubyonrails.org/t/cve-2026-33202-possible-glob-injection-in-active-storage-diskservice/90903"},{"published_at":"2026-03-23","title":"Bulletin de s\u00e9curit\u00e9 Ruby on Rails 90904","url":"https://discuss.rubyonrails.org/t/cve-2026-33195-possible-path-traversal-in-active-storage-diskservice/90904"},{"published_at":"2026-03-23","title":"Bulletin de s\u00e9curit\u00e9 Ruby on Rails 90909","url":"https://discuss.rubyonrails.org/t/cve-2026-33173-insufficient-filtering-of-metadata-in-active-storage-direct-uploads/90909"},{"published_at":"2026-03-23","title":"Bulletin de s\u00e9curit\u00e9 Ruby on Rails 90907","url":"https://discuss.rubyonrails.org/t/cve-2026-33176-possible-dos-vulnerability-in-active-support-number-helpers/90907"}]}