VulnerableCode Package Details - pkg:gem/view

Search for packages

Vulnerability	Summary	Fixed by
VCID-3c4m-sbhc-4yb3 Aliases: CVE-2026-44836 GHSA-7f3r-gwc9-2995	view_component is a framework for building reusable, testable, and encapsulated view components in Ruby on Rails. From 3.0.0 to 4.9.0, the preview route derives an example name from the URL and calls it with public_send. The code does not verify that the requested method is one of the preview examples explicitly defined by the preview class. As a result, inherited public methods on ViewComponent::Preview are route-reachable. The most important one is render_with_template, which accepts template: and locals:. Those values can come from request params and are later passed to Rails as render template:. If previews are exposed, an attacker can render internal Rails templates that are not otherwise routable. This vulnerability is fixed in 4.9.0.	4.9.0 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-bjbs-7tvw-augp Aliases: CVE-2026-44837 GHSA-hg3h-g7xc-f7vp	view_component is a framework for building reusable, testable, and encapsulated view components in Ruby on Rails. From 3.0.0 to 4.9.0, the system test entrypoint canonicalizes a user-controlled file path with File.realpath, then checks whether the resolved path starts with the temp directory path. This is not a safe containment check because sibling directories can share the same string prefix. This vulnerability is fixed in 4.9.0.	4.9.0 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-3c4m-sbhc-4yb3
Aliases:
CVE-2026-44836
GHSA-7f3r-gwc9-2995

view_component is a framework for building reusable, testable, and encapsulated view components in Ruby on Rails. From 3.0.0 to 4.9.0, the preview route derives an example name from the URL and calls it with public_send. The code does not verify that the requested method is one of the preview examples explicitly defined by the preview class. As a result, inherited public methods on ViewComponent::Preview are route-reachable. The most important one is render_with_template, which accepts template: and locals:. Those values can come from request params and are later passed to Rails as render template:. If previews are exposed, an attacker can render internal Rails templates that are not otherwise routable. This vulnerability is fixed in 4.9.0.

4.9.0
Affected by 2 other vulnerabilities.

VCID-bjbs-7tvw-augp
Aliases:
CVE-2026-44837
GHSA-hg3h-g7xc-f7vp

view_component is a framework for building reusable, testable, and encapsulated view components in Ruby on Rails. From 3.0.0 to 4.9.0, the system test entrypoint canonicalizes a user-controlled file path with File.realpath, then checks whether the resolved path starts with the temp directory path. This is not a safe containment check because sibling directories can share the same string prefix. This vulnerability is fixed in 4.9.0.

4.9.0
Affected by 2 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-3c4m-sbhc-4yb3	view_component is a framework for building reusable, testable, and encapsulated view components in Ruby on Rails. From 3.0.0 to 4.9.0, the preview route derives an example name from the URL and calls it with public_send. The code does not verify that the requested method is one of the preview examples explicitly defined by the preview class. As a result, inherited public methods on ViewComponent::Preview are route-reachable. The most important one is render_with_template, which accepts template: and locals:. Those values can come from request params and are later passed to Rails as render template:. If previews are exposed, an attacker can render internal Rails templates that are not otherwise routable. This vulnerability is fixed in 4.9.0.	CVE-2026-44836 GHSA-7f3r-gwc9-2995
VCID-bjbs-7tvw-augp	view_component is a framework for building reusable, testable, and encapsulated view components in Ruby on Rails. From 3.0.0 to 4.9.0, the system test entrypoint canonicalizes a user-controlled file path with File.realpath, then checks whether the resolved path starts with the temp directory path. This is not a safe containment check because sibling directories can share the same string prefix. This vulnerability is fixed in 4.9.0.	CVE-2026-44837 GHSA-hg3h-g7xc-f7vp

Vulnerability

Summary

Aliases

VCID-3c4m-sbhc-4yb3

CVE-2026-44836
GHSA-7f3r-gwc9-2995

VCID-bjbs-7tvw-augp

CVE-2026-44837
GHSA-hg3h-g7xc-f7vp

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-13T09:29:06.921991+00:00	Ruby Importer	Fixing	VCID-3c4m-sbhc-4yb3	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/view_component/CVE-2026-44836.yml	38.6.0
2026-06-13T09:29:06.413006+00:00	Ruby Importer	Affected by	VCID-3c4m-sbhc-4yb3	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/view_component/CVE-2026-44836.yml	38.6.0
2026-06-13T09:29:05.561336+00:00	Ruby Importer	Fixing	VCID-bjbs-7tvw-augp	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/view_component/CVE-2026-44837.yml	38.6.0
2026-06-13T09:29:05.077375+00:00	Ruby Importer	Affected by	VCID-bjbs-7tvw-augp	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/view_component/CVE-2026-44837.yml	38.6.0
2026-06-12T22:24:12.272958+00:00	GitLab Importer	Affected by	VCID-3c4m-sbhc-4yb3	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/view_component/CVE-2026-44836.yml	38.6.0
2026-06-12T22:24:11.936738+00:00	GitLab Importer	Affected by	VCID-bjbs-7tvw-augp	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/view_component/CVE-2026-44837.yml	38.6.0