Search for packages
| purl | pkg:gem/view_component@2.78.0 |
| Next non-vulnerable version | None. |
| Latest non-vulnerable version | None. |
| Risk | 3.1 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-3c4m-sbhc-4yb3
Aliases: CVE-2026-44836 GHSA-7f3r-gwc9-2995 |
view_component is a framework for building reusable, testable, and encapsulated view components in Ruby on Rails. From 3.0.0 to 4.9.0, the preview route derives an example name from the URL and calls it with public_send. The code does not verify that the requested method is one of the preview examples explicitly defined by the preview class. As a result, inherited public methods on ViewComponent::Preview are route-reachable. The most important one is render_with_template, which accepts template: and locals:. Those values can come from request params and are later passed to Rails as render template:. If previews are exposed, an attacker can render internal Rails templates that are not otherwise routable. This vulnerability is fixed in 4.9.0. |
Affected by 2 other vulnerabilities. Affected by 2 other vulnerabilities. |
|
VCID-bjbs-7tvw-augp
Aliases: CVE-2026-44837 GHSA-hg3h-g7xc-f7vp |
view_component is a framework for building reusable, testable, and encapsulated view components in Ruby on Rails. From 3.0.0 to 4.9.0, the system test entrypoint canonicalizes a user-controlled file path with File.realpath, then checks whether the resolved path starts with the temp directory path. This is not a safe containment check because sibling directories can share the same string prefix. This vulnerability is fixed in 4.9.0. |
Affected by 2 other vulnerabilities. Affected by 2 other vulnerabilities. |
|
VCID-q6rr-gydj-vqgm
Aliases: CVE-2024-21636 GHSA-wf2x-8w6j-qw37 |
view_component is a framework for building reusable, testable, and encapsulated view components in Ruby on Rails. Versions prior to 3.9.0 and 2.83.0 have a cross-site scripting vulnerability that has the potential to impact anyone rendering a component directly from a controller with the view_component gem. Note that only components that define a `#call` method (i.e. instead of using a sidecar template) are affected. The return value of the `#call` method is not sanitized and can include user-defined content. In addition, the return value of the `#output_postamble` methodis not sanitized, which can also lead to cross-site scripting issues. Versions 3.9.0 and 2.83.0 have been released and fully mitigate both the `#call` and the `#output_postamble` vulnerabilities. As a workaround, sanitize the return value of `#call`. |
Affected by 2 other vulnerabilities. Affected by 2 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2026-06-13T09:29:06.267256+00:00 | Ruby Importer | Affected by | VCID-3c4m-sbhc-4yb3 | https://github.com/rubysec/ruby-advisory-db/blob/master/gems/view_component/CVE-2026-44836.yml | 38.6.0 |
| 2026-06-13T09:29:04.933272+00:00 | Ruby Importer | Affected by | VCID-bjbs-7tvw-augp | https://github.com/rubysec/ruby-advisory-db/blob/master/gems/view_component/CVE-2026-44837.yml | 38.6.0 |
| 2026-06-13T09:23:50.551559+00:00 | Ruby Importer | Affected by | VCID-q6rr-gydj-vqgm | https://github.com/rubysec/ruby-advisory-db/blob/master/gems/view_component/CVE-2024-21636.yml | 38.6.0 |
| 2026-06-12T19:16:07.370579+00:00 | GitLab Importer | Affected by | VCID-q6rr-gydj-vqgm | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/view_component/CVE-2024-21636.yml | 38.6.0 |