CVE-2026-33209 (avo): Avo has a XSS vulnerability on `return_to` param
    
    
      
        














March 18th...

The RubyLA blog offers insights, tutorials, and community updates for Ruby developers in Los Angeles and beyond. Developers can explore Ruby language features, web development frameworks, and best practices for building Ruby applications. Additionally, the blog covers Ruby meetups, events, and job opportunities in the Los Angeles area, fostering collaboration and networking within the local Ruby community.

RUBYLAND

A reflected XSS vulnerability (CVE-2026-33209) has been discovered in the Avo Ruby gem. The flaw exists in the `return_to` query parameter, allowing attackers to inject arbitrary JavaScript via a crafted URL that triggers when a dynamically generated navigation button is clicked. The vulnerability affects both authenticated and unauthenticated deployments, though impact differs. The fix is available in Avo version 3.30.3 and above.