Search criteria
7 vulnerabilities found for view_component by ViewComponent
CVE-2026-44837 (GCVE-0-2026-44837)
Vulnerability from nvd – Published: 2026-05-26 19:40 – Updated: 2026-05-28 14:04
VLAI
Title
view_component: System Test Entry Point Path Check Allows Sibling Directory Escape
Summary
view_component is a framework for building reusable, testable, and encapsulated view components in Ruby on Rails. From 3.0.0 to 4.9.0, the system test entrypoint canonicalizes a user-controlled file path with File.realpath, then checks whether the resolved path starts with the temp directory path. This is not a safe containment check because sibling directories can share the same string prefix. This vulnerability is fixed in 4.9.0.
Severity
5.9 (Medium)
CWE
- CWE-187 - Partial String Comparison
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/ViewComponent/view_component/s… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| ViewComponent | view_component |
Affected:
>= 3.0.0, < 4.9.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-44837",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-28T14:03:17.325766Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T14:04:27.716Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/ViewComponent/view_component/security/advisories/GHSA-hg3h-g7xc-f7vp"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "view_component",
"vendor": "ViewComponent",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.0.0, \u003c 4.9.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "view_component is a framework for building reusable, testable, and encapsulated view components in Ruby on Rails. From 3.0.0 to 4.9.0, the system test entrypoint canonicalizes a user-controlled file path with File.realpath, then checks whether the resolved path starts with the temp directory path. This is not a safe containment check because sibling directories can share the same string prefix. This vulnerability is fixed in 4.9.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-187",
"description": "CWE-187: Partial String Comparison",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-26T19:40:47.661Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/ViewComponent/view_component/security/advisories/GHSA-hg3h-g7xc-f7vp",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/ViewComponent/view_component/security/advisories/GHSA-hg3h-g7xc-f7vp"
}
],
"source": {
"advisory": "GHSA-hg3h-g7xc-f7vp",
"discovery": "UNKNOWN"
},
"title": "view_component: System Test Entry Point Path Check Allows Sibling Directory Escape"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-44837",
"datePublished": "2026-05-26T19:40:47.661Z",
"dateReserved": "2026-05-07T21:21:48.352Z",
"dateUpdated": "2026-05-28T14:04:27.716Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-44836 (GCVE-0-2026-44836)
Vulnerability from nvd – Published: 2026-05-26 19:43 – Updated: 2026-05-27 13:21
VLAI
Title
view_component: Preview Route Can Dispatch Inherited Helper Methods
Summary
view_component is a framework for building reusable, testable, and encapsulated view components in Ruby on Rails. From 3.0.0 to 4.9.0, the preview route derives an example name from the URL and calls it with public_send. The code does not verify that the requested method is one of the preview examples explicitly defined by the preview class. As a result, inherited public methods on ViewComponent::Preview are route-reachable. The most important one is render_with_template, which accepts template: and locals:. Those values can come from request params and are later passed to Rails as render template:. If previews are exposed, an attacker can render internal Rails templates that are not otherwise routable. This vulnerability is fixed in 4.9.0.
Severity
6.5 (Medium)
CWE
- CWE-749 - Exposed Dangerous Method or Function
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/ViewComponent/view_component/s… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| ViewComponent | view_component |
Affected:
>= 3.0.0, < 4.9.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-44836",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-27T13:21:32.395983Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-27T13:21:54.259Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/ViewComponent/view_component/security/advisories/GHSA-7f3r-gwc9-2995"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "view_component",
"vendor": "ViewComponent",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.0.0, \u003c 4.9.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "view_component is a framework for building reusable, testable, and encapsulated view components in Ruby on Rails. From 3.0.0 to 4.9.0, the preview route derives an example name from the URL and calls it with public_send. The code does not verify that the requested method is one of the preview examples explicitly defined by the preview class. As a result, inherited public methods on ViewComponent::Preview are route-reachable. The most important one is render_with_template, which accepts template: and locals:. Those values can come from request params and are later passed to Rails as render template:. If previews are exposed, an attacker can render internal Rails templates that are not otherwise routable. This vulnerability is fixed in 4.9.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-749",
"description": "CWE-749: Exposed Dangerous Method or Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-26T19:43:58.008Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/ViewComponent/view_component/security/advisories/GHSA-7f3r-gwc9-2995",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/ViewComponent/view_component/security/advisories/GHSA-7f3r-gwc9-2995"
}
],
"source": {
"advisory": "GHSA-7f3r-gwc9-2995",
"discovery": "UNKNOWN"
},
"title": "view_component: Preview Route Can Dispatch Inherited Helper Methods"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-44836",
"datePublished": "2026-05-26T19:43:58.008Z",
"dateReserved": "2026-05-07T21:21:48.352Z",
"dateUpdated": "2026-05-27T13:21:54.259Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-21636 (GCVE-0-2024-21636)
Vulnerability from nvd – Published: 2024-01-04 20:09 – Updated: 2025-06-17 20:29
VLAI
Title
view_component Cross-site Scripting vulnerability
Summary
view_component is a framework for building reusable, testable, and encapsulated view components in Ruby on Rails. Versions prior to 3.9.0 and 2.83.0 have a cross-site scripting vulnerability that has the potential to impact anyone rendering a component directly from a controller with the view_component gem. Note that only components that define a `#call` method (i.e. instead of using a sidecar template) are affected. The return value of the `#call` method is not sanitized and can include user-defined content. In addition, the return value of the `#output_postamble` methodis not sanitized, which can also lead to cross-site scripting issues. Versions 3.9.0 and 2.83.0 have been released and fully mitigate both the `#call` and the `#output_postamble` vulnerabilities. As a workaround, sanitize the return value of `#call`.
Severity
6.1 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://github.com/ViewComponent/view_component/s… | x_refsource_CONFIRM |
| https://github.com/ViewComponent/view_component/p… | x_refsource_MISC |
| https://github.com/ViewComponent/view_component/p… | x_refsource_MISC |
| https://github.com/ViewComponent/view_component/c… | x_refsource_MISC |
| https://github.com/ViewComponent/view_component/c… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| ViewComponent | view_component |
Affected:
>= 3.0.0, < 3.9.0
Affected: < 2.83.0 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T22:27:35.781Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/ViewComponent/view_component/security/advisories/GHSA-wf2x-8w6j-qw37",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/ViewComponent/view_component/security/advisories/GHSA-wf2x-8w6j-qw37"
},
{
"name": "https://github.com/ViewComponent/view_component/pull/1950",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/ViewComponent/view_component/pull/1950"
},
{
"name": "https://github.com/ViewComponent/view_component/pull/1962",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/ViewComponent/view_component/pull/1962"
},
{
"name": "https://github.com/ViewComponent/view_component/commit/0d26944a8d2730ea40e60eae23d70684483e5017",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/ViewComponent/view_component/commit/0d26944a8d2730ea40e60eae23d70684483e5017"
},
{
"name": "https://github.com/ViewComponent/view_component/commit/c43d8bafa7117cbce479669a423ab266de150697",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/ViewComponent/view_component/commit/c43d8bafa7117cbce479669a423ab266de150697"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-21636",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-01-09T21:13:15.952519Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-17T20:29:11.989Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "view_component",
"vendor": "ViewComponent",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.0.0, \u003c 3.9.0"
},
{
"status": "affected",
"version": "\u003c 2.83.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "view_component is a framework for building reusable, testable, and encapsulated view components in Ruby on Rails. Versions prior to 3.9.0 and 2.83.0 have a cross-site scripting vulnerability that has the potential to impact anyone rendering a component directly from a controller with the view_component gem. Note that only components that define a `#call` method (i.e. instead of using a sidecar template) are affected. The return value of the `#call` method is not sanitized and can include user-defined content. In addition, the return value of the `#output_postamble` methodis not sanitized, which can also lead to cross-site scripting issues. Versions 3.9.0 and 2.83.0 have been released and fully mitigate both the `#call` and the `#output_postamble` vulnerabilities. As a workaround, sanitize the return value of `#call`."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-09T15:49:12.734Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/ViewComponent/view_component/security/advisories/GHSA-wf2x-8w6j-qw37",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/ViewComponent/view_component/security/advisories/GHSA-wf2x-8w6j-qw37"
},
{
"name": "https://github.com/ViewComponent/view_component/pull/1950",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ViewComponent/view_component/pull/1950"
},
{
"name": "https://github.com/ViewComponent/view_component/pull/1962",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ViewComponent/view_component/pull/1962"
},
{
"name": "https://github.com/ViewComponent/view_component/commit/0d26944a8d2730ea40e60eae23d70684483e5017",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ViewComponent/view_component/commit/0d26944a8d2730ea40e60eae23d70684483e5017"
},
{
"name": "https://github.com/ViewComponent/view_component/commit/c43d8bafa7117cbce479669a423ab266de150697",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ViewComponent/view_component/commit/c43d8bafa7117cbce479669a423ab266de150697"
}
],
"source": {
"advisory": "GHSA-wf2x-8w6j-qw37",
"discovery": "UNKNOWN"
},
"title": "view_component Cross-site Scripting vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-21636",
"datePublished": "2024-01-04T20:09:08.564Z",
"dateReserved": "2023-12-29T03:00:44.957Z",
"dateUpdated": "2025-06-17T20:29:11.989Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2026-44836 (GCVE-0-2026-44836)
Vulnerability from cvelistv5 – Published: 2026-05-26 19:43 – Updated: 2026-05-27 13:21
VLAI
Title
view_component: Preview Route Can Dispatch Inherited Helper Methods
Summary
view_component is a framework for building reusable, testable, and encapsulated view components in Ruby on Rails. From 3.0.0 to 4.9.0, the preview route derives an example name from the URL and calls it with public_send. The code does not verify that the requested method is one of the preview examples explicitly defined by the preview class. As a result, inherited public methods on ViewComponent::Preview are route-reachable. The most important one is render_with_template, which accepts template: and locals:. Those values can come from request params and are later passed to Rails as render template:. If previews are exposed, an attacker can render internal Rails templates that are not otherwise routable. This vulnerability is fixed in 4.9.0.
Severity
6.5 (Medium)
CWE
- CWE-749 - Exposed Dangerous Method or Function
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/ViewComponent/view_component/s… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| ViewComponent | view_component |
Affected:
>= 3.0.0, < 4.9.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-44836",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-27T13:21:32.395983Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-27T13:21:54.259Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/ViewComponent/view_component/security/advisories/GHSA-7f3r-gwc9-2995"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "view_component",
"vendor": "ViewComponent",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.0.0, \u003c 4.9.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "view_component is a framework for building reusable, testable, and encapsulated view components in Ruby on Rails. From 3.0.0 to 4.9.0, the preview route derives an example name from the URL and calls it with public_send. The code does not verify that the requested method is one of the preview examples explicitly defined by the preview class. As a result, inherited public methods on ViewComponent::Preview are route-reachable. The most important one is render_with_template, which accepts template: and locals:. Those values can come from request params and are later passed to Rails as render template:. If previews are exposed, an attacker can render internal Rails templates that are not otherwise routable. This vulnerability is fixed in 4.9.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-749",
"description": "CWE-749: Exposed Dangerous Method or Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-26T19:43:58.008Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/ViewComponent/view_component/security/advisories/GHSA-7f3r-gwc9-2995",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/ViewComponent/view_component/security/advisories/GHSA-7f3r-gwc9-2995"
}
],
"source": {
"advisory": "GHSA-7f3r-gwc9-2995",
"discovery": "UNKNOWN"
},
"title": "view_component: Preview Route Can Dispatch Inherited Helper Methods"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-44836",
"datePublished": "2026-05-26T19:43:58.008Z",
"dateReserved": "2026-05-07T21:21:48.352Z",
"dateUpdated": "2026-05-27T13:21:54.259Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-44837 (GCVE-0-2026-44837)
Vulnerability from cvelistv5 – Published: 2026-05-26 19:40 – Updated: 2026-05-28 14:04
VLAI
Title
view_component: System Test Entry Point Path Check Allows Sibling Directory Escape
Summary
view_component is a framework for building reusable, testable, and encapsulated view components in Ruby on Rails. From 3.0.0 to 4.9.0, the system test entrypoint canonicalizes a user-controlled file path with File.realpath, then checks whether the resolved path starts with the temp directory path. This is not a safe containment check because sibling directories can share the same string prefix. This vulnerability is fixed in 4.9.0.
Severity
5.9 (Medium)
CWE
- CWE-187 - Partial String Comparison
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/ViewComponent/view_component/s… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| ViewComponent | view_component |
Affected:
>= 3.0.0, < 4.9.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-44837",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-28T14:03:17.325766Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T14:04:27.716Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/ViewComponent/view_component/security/advisories/GHSA-hg3h-g7xc-f7vp"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "view_component",
"vendor": "ViewComponent",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.0.0, \u003c 4.9.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "view_component is a framework for building reusable, testable, and encapsulated view components in Ruby on Rails. From 3.0.0 to 4.9.0, the system test entrypoint canonicalizes a user-controlled file path with File.realpath, then checks whether the resolved path starts with the temp directory path. This is not a safe containment check because sibling directories can share the same string prefix. This vulnerability is fixed in 4.9.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-187",
"description": "CWE-187: Partial String Comparison",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-26T19:40:47.661Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/ViewComponent/view_component/security/advisories/GHSA-hg3h-g7xc-f7vp",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/ViewComponent/view_component/security/advisories/GHSA-hg3h-g7xc-f7vp"
}
],
"source": {
"advisory": "GHSA-hg3h-g7xc-f7vp",
"discovery": "UNKNOWN"
},
"title": "view_component: System Test Entry Point Path Check Allows Sibling Directory Escape"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-44837",
"datePublished": "2026-05-26T19:40:47.661Z",
"dateReserved": "2026-05-07T21:21:48.352Z",
"dateUpdated": "2026-05-28T14:04:27.716Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-21636 (GCVE-0-2024-21636)
Vulnerability from cvelistv5 – Published: 2024-01-04 20:09 – Updated: 2025-06-17 20:29
VLAI
Title
view_component Cross-site Scripting vulnerability
Summary
view_component is a framework for building reusable, testable, and encapsulated view components in Ruby on Rails. Versions prior to 3.9.0 and 2.83.0 have a cross-site scripting vulnerability that has the potential to impact anyone rendering a component directly from a controller with the view_component gem. Note that only components that define a `#call` method (i.e. instead of using a sidecar template) are affected. The return value of the `#call` method is not sanitized and can include user-defined content. In addition, the return value of the `#output_postamble` methodis not sanitized, which can also lead to cross-site scripting issues. Versions 3.9.0 and 2.83.0 have been released and fully mitigate both the `#call` and the `#output_postamble` vulnerabilities. As a workaround, sanitize the return value of `#call`.
Severity
6.1 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://github.com/ViewComponent/view_component/s… | x_refsource_CONFIRM |
| https://github.com/ViewComponent/view_component/p… | x_refsource_MISC |
| https://github.com/ViewComponent/view_component/p… | x_refsource_MISC |
| https://github.com/ViewComponent/view_component/c… | x_refsource_MISC |
| https://github.com/ViewComponent/view_component/c… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| ViewComponent | view_component |
Affected:
>= 3.0.0, < 3.9.0
Affected: < 2.83.0 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T22:27:35.781Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/ViewComponent/view_component/security/advisories/GHSA-wf2x-8w6j-qw37",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/ViewComponent/view_component/security/advisories/GHSA-wf2x-8w6j-qw37"
},
{
"name": "https://github.com/ViewComponent/view_component/pull/1950",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/ViewComponent/view_component/pull/1950"
},
{
"name": "https://github.com/ViewComponent/view_component/pull/1962",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/ViewComponent/view_component/pull/1962"
},
{
"name": "https://github.com/ViewComponent/view_component/commit/0d26944a8d2730ea40e60eae23d70684483e5017",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/ViewComponent/view_component/commit/0d26944a8d2730ea40e60eae23d70684483e5017"
},
{
"name": "https://github.com/ViewComponent/view_component/commit/c43d8bafa7117cbce479669a423ab266de150697",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/ViewComponent/view_component/commit/c43d8bafa7117cbce479669a423ab266de150697"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-21636",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-01-09T21:13:15.952519Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-17T20:29:11.989Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "view_component",
"vendor": "ViewComponent",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.0.0, \u003c 3.9.0"
},
{
"status": "affected",
"version": "\u003c 2.83.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "view_component is a framework for building reusable, testable, and encapsulated view components in Ruby on Rails. Versions prior to 3.9.0 and 2.83.0 have a cross-site scripting vulnerability that has the potential to impact anyone rendering a component directly from a controller with the view_component gem. Note that only components that define a `#call` method (i.e. instead of using a sidecar template) are affected. The return value of the `#call` method is not sanitized and can include user-defined content. In addition, the return value of the `#output_postamble` methodis not sanitized, which can also lead to cross-site scripting issues. Versions 3.9.0 and 2.83.0 have been released and fully mitigate both the `#call` and the `#output_postamble` vulnerabilities. As a workaround, sanitize the return value of `#call`."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-09T15:49:12.734Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/ViewComponent/view_component/security/advisories/GHSA-wf2x-8w6j-qw37",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/ViewComponent/view_component/security/advisories/GHSA-wf2x-8w6j-qw37"
},
{
"name": "https://github.com/ViewComponent/view_component/pull/1950",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ViewComponent/view_component/pull/1950"
},
{
"name": "https://github.com/ViewComponent/view_component/pull/1962",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ViewComponent/view_component/pull/1962"
},
{
"name": "https://github.com/ViewComponent/view_component/commit/0d26944a8d2730ea40e60eae23d70684483e5017",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ViewComponent/view_component/commit/0d26944a8d2730ea40e60eae23d70684483e5017"
},
{
"name": "https://github.com/ViewComponent/view_component/commit/c43d8bafa7117cbce479669a423ab266de150697",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ViewComponent/view_component/commit/c43d8bafa7117cbce479669a423ab266de150697"
}
],
"source": {
"advisory": "GHSA-wf2x-8w6j-qw37",
"discovery": "UNKNOWN"
},
"title": "view_component Cross-site Scripting vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-21636",
"datePublished": "2024-01-04T20:09:08.564Z",
"dateReserved": "2023-12-29T03:00:44.957Z",
"dateUpdated": "2025-06-17T20:29:11.989Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
FKIE_CVE-2024-21636
Vulnerability from fkie_nvd - Published: 2024-01-04 20:15 - Updated: 2024-11-21 08:54
Severity
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
view_component is a framework for building reusable, testable, and encapsulated view components in Ruby on Rails. Versions prior to 3.9.0 and 2.83.0 have a cross-site scripting vulnerability that has the potential to impact anyone rendering a component directly from a controller with the view_component gem. Note that only components that define a `#call` method (i.e. instead of using a sidecar template) are affected. The return value of the `#call` method is not sanitized and can include user-defined content. In addition, the return value of the `#output_postamble` methodis not sanitized, which can also lead to cross-site scripting issues. Versions 3.9.0 and 2.83.0 have been released and fully mitigate both the `#call` and the `#output_postamble` vulnerabilities. As a workaround, sanitize the return value of `#call`.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| viewcomponent | view_component | * | |
| viewcomponent | view_component | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:viewcomponent:view_component:*:*:*:*:*:ruby:*:*",
"matchCriteriaId": "7E014569-73E5-4B59-8BC9-4EE2E2EE7F8E",
"versionEndExcluding": "2.83.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:viewcomponent:view_component:*:*:*:*:*:ruby:*:*",
"matchCriteriaId": "A7D836B9-1CF7-4AEA-9FC7-BA0EEFDE3465",
"versionEndExcluding": "3.9.0",
"versionStartIncluding": "3.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "view_component is a framework for building reusable, testable, and encapsulated view components in Ruby on Rails. Versions prior to 3.9.0 and 2.83.0 have a cross-site scripting vulnerability that has the potential to impact anyone rendering a component directly from a controller with the view_component gem. Note that only components that define a `#call` method (i.e. instead of using a sidecar template) are affected. The return value of the `#call` method is not sanitized and can include user-defined content. In addition, the return value of the `#output_postamble` methodis not sanitized, which can also lead to cross-site scripting issues. Versions 3.9.0 and 2.83.0 have been released and fully mitigate both the `#call` and the `#output_postamble` vulnerabilities. As a workaround, sanitize the return value of `#call`."
},
{
"lang": "es",
"value": "view_component es un framework para crear componentes de vista reutilizables, comprobables y encapsulados en Ruby on Rails. Las versiones anteriores a la 3.9.0 tienen una vulnerabilidad de cross site scripting que tiene el potencial de afectar a cualquiera que renderice un componente directamente desde un controlador con la gema view_component. Tenga en cuenta que s\u00f3lo se ven afectados los componentes que definen un m\u00e9todo `#call` (es decir, en lugar de utilizar una plantilla complementaria). El valor de retorno del m\u00e9todo `#call` no est\u00e1 sanitizado y puede incluir contenido definido por el usuario. Adem\u00e1s, el valor de retorno del m\u00e9todo `#output_postamble` no est\u00e1 sanitizado, lo que tambi\u00e9n puede provocar problemas de cross site scripting. Se lanz\u00f3 la versi\u00f3n 3.9.0 y mitiga por completo las vulnerabilidades `#call` y `#output_postamble`. Como workaround, sanitice valor de retorno de `#call`."
}
],
"id": "CVE-2024-21636",
"lastModified": "2024-11-21T08:54:46.410",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-01-04T20:15:25.300",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/ViewComponent/view_component/commit/0d26944a8d2730ea40e60eae23d70684483e5017"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/ViewComponent/view_component/commit/c43d8bafa7117cbce479669a423ab266de150697"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Issue Tracking",
"Patch"
],
"url": "https://github.com/ViewComponent/view_component/pull/1950"
},
{
"source": "security-advisories@github.com",
"tags": [
"Issue Tracking"
],
"url": "https://github.com/ViewComponent/view_component/pull/1962"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/ViewComponent/view_component/security/advisories/GHSA-wf2x-8w6j-qw37"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/ViewComponent/view_component/commit/0d26944a8d2730ea40e60eae23d70684483e5017"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/ViewComponent/view_component/commit/c43d8bafa7117cbce479669a423ab266de150697"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Issue Tracking",
"Patch"
],
"url": "https://github.com/ViewComponent/view_component/pull/1950"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://github.com/ViewComponent/view_component/pull/1962"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/ViewComponent/view_component/security/advisories/GHSA-wf2x-8w6j-qw37"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}