Search criteria
3 vulnerabilities by viewcomponent
CVE-2026-44836 (GCVE-0-2026-44836)
Vulnerability from cvelistv5 – Published: 2026-05-26 19:43 – Updated: 2026-05-27 13:21
VLAI
Title
view_component: Preview Route Can Dispatch Inherited Helper Methods
Summary
view_component is a framework for building reusable, testable, and encapsulated view components in Ruby on Rails. From 3.0.0 to 4.9.0, the preview route derives an example name from the URL and calls it with public_send. The code does not verify that the requested method is one of the preview examples explicitly defined by the preview class. As a result, inherited public methods on ViewComponent::Preview are route-reachable. The most important one is render_with_template, which accepts template: and locals:. Those values can come from request params and are later passed to Rails as render template:. If previews are exposed, an attacker can render internal Rails templates that are not otherwise routable. This vulnerability is fixed in 4.9.0.
Severity
6.5 (Medium)
CWE
- CWE-749 - Exposed Dangerous Method or Function
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/ViewComponent/view_component/s… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| ViewComponent | view_component |
Affected:
>= 3.0.0, < 4.9.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-44836",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-27T13:21:32.395983Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-27T13:21:54.259Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/ViewComponent/view_component/security/advisories/GHSA-7f3r-gwc9-2995"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "view_component",
"vendor": "ViewComponent",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.0.0, \u003c 4.9.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "view_component is a framework for building reusable, testable, and encapsulated view components in Ruby on Rails. From 3.0.0 to 4.9.0, the preview route derives an example name from the URL and calls it with public_send. The code does not verify that the requested method is one of the preview examples explicitly defined by the preview class. As a result, inherited public methods on ViewComponent::Preview are route-reachable. The most important one is render_with_template, which accepts template: and locals:. Those values can come from request params and are later passed to Rails as render template:. If previews are exposed, an attacker can render internal Rails templates that are not otherwise routable. This vulnerability is fixed in 4.9.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-749",
"description": "CWE-749: Exposed Dangerous Method or Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-26T19:43:58.008Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/ViewComponent/view_component/security/advisories/GHSA-7f3r-gwc9-2995",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/ViewComponent/view_component/security/advisories/GHSA-7f3r-gwc9-2995"
}
],
"source": {
"advisory": "GHSA-7f3r-gwc9-2995",
"discovery": "UNKNOWN"
},
"title": "view_component: Preview Route Can Dispatch Inherited Helper Methods"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-44836",
"datePublished": "2026-05-26T19:43:58.008Z",
"dateReserved": "2026-05-07T21:21:48.352Z",
"dateUpdated": "2026-05-27T13:21:54.259Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-44837 (GCVE-0-2026-44837)
Vulnerability from cvelistv5 – Published: 2026-05-26 19:40 – Updated: 2026-05-28 14:04
VLAI
Title
view_component: System Test Entry Point Path Check Allows Sibling Directory Escape
Summary
view_component is a framework for building reusable, testable, and encapsulated view components in Ruby on Rails. From 3.0.0 to 4.9.0, the system test entrypoint canonicalizes a user-controlled file path with File.realpath, then checks whether the resolved path starts with the temp directory path. This is not a safe containment check because sibling directories can share the same string prefix. This vulnerability is fixed in 4.9.0.
Severity
5.9 (Medium)
CWE
- CWE-187 - Partial String Comparison
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/ViewComponent/view_component/s… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| ViewComponent | view_component |
Affected:
>= 3.0.0, < 4.9.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-44837",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-28T14:03:17.325766Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T14:04:27.716Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/ViewComponent/view_component/security/advisories/GHSA-hg3h-g7xc-f7vp"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "view_component",
"vendor": "ViewComponent",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.0.0, \u003c 4.9.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "view_component is a framework for building reusable, testable, and encapsulated view components in Ruby on Rails. From 3.0.0 to 4.9.0, the system test entrypoint canonicalizes a user-controlled file path with File.realpath, then checks whether the resolved path starts with the temp directory path. This is not a safe containment check because sibling directories can share the same string prefix. This vulnerability is fixed in 4.9.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-187",
"description": "CWE-187: Partial String Comparison",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-26T19:40:47.661Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/ViewComponent/view_component/security/advisories/GHSA-hg3h-g7xc-f7vp",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/ViewComponent/view_component/security/advisories/GHSA-hg3h-g7xc-f7vp"
}
],
"source": {
"advisory": "GHSA-hg3h-g7xc-f7vp",
"discovery": "UNKNOWN"
},
"title": "view_component: System Test Entry Point Path Check Allows Sibling Directory Escape"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-44837",
"datePublished": "2026-05-26T19:40:47.661Z",
"dateReserved": "2026-05-07T21:21:48.352Z",
"dateUpdated": "2026-05-28T14:04:27.716Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-21636 (GCVE-0-2024-21636)
Vulnerability from cvelistv5 – Published: 2024-01-04 20:09 – Updated: 2025-06-17 20:29
VLAI
Title
view_component Cross-site Scripting vulnerability
Summary
view_component is a framework for building reusable, testable, and encapsulated view components in Ruby on Rails. Versions prior to 3.9.0 and 2.83.0 have a cross-site scripting vulnerability that has the potential to impact anyone rendering a component directly from a controller with the view_component gem. Note that only components that define a `#call` method (i.e. instead of using a sidecar template) are affected. The return value of the `#call` method is not sanitized and can include user-defined content. In addition, the return value of the `#output_postamble` methodis not sanitized, which can also lead to cross-site scripting issues. Versions 3.9.0 and 2.83.0 have been released and fully mitigate both the `#call` and the `#output_postamble` vulnerabilities. As a workaround, sanitize the return value of `#call`.
Severity
6.1 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://github.com/ViewComponent/view_component/s… | x_refsource_CONFIRM |
| https://github.com/ViewComponent/view_component/p… | x_refsource_MISC |
| https://github.com/ViewComponent/view_component/p… | x_refsource_MISC |
| https://github.com/ViewComponent/view_component/c… | x_refsource_MISC |
| https://github.com/ViewComponent/view_component/c… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| ViewComponent | view_component |
Affected:
>= 3.0.0, < 3.9.0
Affected: < 2.83.0 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T22:27:35.781Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/ViewComponent/view_component/security/advisories/GHSA-wf2x-8w6j-qw37",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/ViewComponent/view_component/security/advisories/GHSA-wf2x-8w6j-qw37"
},
{
"name": "https://github.com/ViewComponent/view_component/pull/1950",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/ViewComponent/view_component/pull/1950"
},
{
"name": "https://github.com/ViewComponent/view_component/pull/1962",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/ViewComponent/view_component/pull/1962"
},
{
"name": "https://github.com/ViewComponent/view_component/commit/0d26944a8d2730ea40e60eae23d70684483e5017",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/ViewComponent/view_component/commit/0d26944a8d2730ea40e60eae23d70684483e5017"
},
{
"name": "https://github.com/ViewComponent/view_component/commit/c43d8bafa7117cbce479669a423ab266de150697",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/ViewComponent/view_component/commit/c43d8bafa7117cbce479669a423ab266de150697"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-21636",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-01-09T21:13:15.952519Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-17T20:29:11.989Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "view_component",
"vendor": "ViewComponent",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.0.0, \u003c 3.9.0"
},
{
"status": "affected",
"version": "\u003c 2.83.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "view_component is a framework for building reusable, testable, and encapsulated view components in Ruby on Rails. Versions prior to 3.9.0 and 2.83.0 have a cross-site scripting vulnerability that has the potential to impact anyone rendering a component directly from a controller with the view_component gem. Note that only components that define a `#call` method (i.e. instead of using a sidecar template) are affected. The return value of the `#call` method is not sanitized and can include user-defined content. In addition, the return value of the `#output_postamble` methodis not sanitized, which can also lead to cross-site scripting issues. Versions 3.9.0 and 2.83.0 have been released and fully mitigate both the `#call` and the `#output_postamble` vulnerabilities. As a workaround, sanitize the return value of `#call`."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-09T15:49:12.734Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/ViewComponent/view_component/security/advisories/GHSA-wf2x-8w6j-qw37",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/ViewComponent/view_component/security/advisories/GHSA-wf2x-8w6j-qw37"
},
{
"name": "https://github.com/ViewComponent/view_component/pull/1950",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ViewComponent/view_component/pull/1950"
},
{
"name": "https://github.com/ViewComponent/view_component/pull/1962",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ViewComponent/view_component/pull/1962"
},
{
"name": "https://github.com/ViewComponent/view_component/commit/0d26944a8d2730ea40e60eae23d70684483e5017",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ViewComponent/view_component/commit/0d26944a8d2730ea40e60eae23d70684483e5017"
},
{
"name": "https://github.com/ViewComponent/view_component/commit/c43d8bafa7117cbce479669a423ab266de150697",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ViewComponent/view_component/commit/c43d8bafa7117cbce479669a423ab266de150697"
}
],
"source": {
"advisory": "GHSA-wf2x-8w6j-qw37",
"discovery": "UNKNOWN"
},
"title": "view_component Cross-site Scripting vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-21636",
"datePublished": "2024-01-04T20:09:08.564Z",
"dateReserved": "2023-12-29T03:00:44.957Z",
"dateUpdated": "2025-06-17T20:29:11.989Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}