rubysec · jasnow · May 25, 2026
diff --git a/gems/actionpack/CVE-2024-26143.yml b/gems/actionpack/CVE-2024-26143.yml
@@ -3,7 +3,7 @@ gem: actionpack
 framework: rails
 cve: 2024-26143
 ghsa: 9822-6m93-xqf4
-url: https://discuss.rubyonrails.org/t/possible-xss-vulnerability-in-action-controller/84947
+url: https://nvd.nist.gov/vuln/detail/CVE-2024-26143
 title: Possible XSS Vulnerability in Action Controller
 date: 2024-02-21
 description: |
@@ -41,8 +41,8 @@ description: |
   * Use a default value where the default value is untrusted and unescaped input
   * Send the text to the victim (whether that’s part of a template, or a
     `render` call)
-
-  All users running an affected release should either upgrade or use one of the workarounds immediately.
+  All users running an affected release should either upgrade or use one
+  of the workarounds immediately.
 
   # Releases
 
@@ -57,3 +57,11 @@ unaffected_versions:
 patched_versions:
   - "~> 7.0.8, >= 7.0.8.1"
   - ">= 7.1.3.1"
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2024-26143
+    - https://discuss.rubyonrails.org/t/possible-xss-vulnerability-in-action-controller/84947
+    - https://github.com/rails/rails/commit/5187a9ef51980ad1b8e81945ebe0462d28f84f9e
+    - https://github.com/rails/rails/commit/4c83b331092a79d58e4adffe4be5f250fa5782cc
+    - https://security.netapp.com/advisory/ntap-20240510-0004
+    - https://github.com/advisories/GHSA-9822-6m93-xqf4