VulnerableCode Package Details - pkg:gem/view

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-667y-n17w-fyfh	view_component - Preview Route Can Dispatch Inherited Helper Methods' The preview route derives an example name from the URL and calls it with `public_send`. The code does not verify that the requested method is one of the preview examples explicitly defined by the preview class. As a result, inherited public methods on `ViewComponent::Preview` are route-reachable. The most important one is `render_with_template`, which accepts `template:` and `locals:`. Those values can come from request params and are later passed to Rails as `render template:`. If previews are exposed, an attacker can render internal Rails templates that are not otherwise routable. Severity: High if preview routes are externally reachable; Medium otherwise.	CVE-2026-44836 GHSA-7f3r-gwc9-2995
VCID-xb7g-snwv-4qcv	view_component - System Test Entry Point Path Check Allows Sibling Directory Escape The system test entrypoint canonicalizes a user-controlled file path with `File.realpath`, then checks whether the resolved path starts with the temp directory path. This is not a safe containment check because sibling directories can share the same string prefix. Severity: Medium; test-route scoped.	CVE-2026-44837 GHSA-hg3h-g7xc-f7vp

Vulnerability

Summary

Aliases

VCID-667y-n17w-fyfh

view_component - Preview Route Can Dispatch Inherited Helper Methods' The preview route derives an example name from the URL and calls it with `public_send`. The code does not verify that the requested method is one of the preview examples explicitly defined by the preview class. As a result, inherited public methods on `ViewComponent::Preview` are route-reachable. The most important one is `render_with_template`, which accepts `template:` and `locals:`. Those values can come from request params and are later passed to Rails as `render template:`. If previews are exposed, an attacker can render internal Rails templates that are not otherwise routable. Severity: High if preview routes are externally reachable; Medium otherwise.

CVE-2026-44836
GHSA-7f3r-gwc9-2995

VCID-xb7g-snwv-4qcv

view_component - System Test Entry Point Path Check Allows Sibling Directory Escape The system test entrypoint canonicalizes a user-controlled file path with `File.realpath`, then checks whether the resolved path starts with the temp directory path. This is not a safe containment check because sibling directories can share the same string prefix. Severity: Medium; test-route scoped.

CVE-2026-44837
GHSA-hg3h-g7xc-f7vp

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-07T20:55:17.008404+00:00	GHSA Importer	Fixing	VCID-xb7g-snwv-4qcv	https://github.com/advisories/GHSA-hg3h-g7xc-f7vp	38.6.0
2026-06-07T20:55:16.960444+00:00	GHSA Importer	Fixing	VCID-667y-n17w-fyfh	https://github.com/advisories/GHSA-7f3r-gwc9-2995	38.6.0
2026-06-07T16:46:12.017164+00:00	GitLab Importer	Fixing	VCID-667y-n17w-fyfh	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/view_component/CVE-2026-44836.yml	38.6.0
2026-06-07T16:46:10.844727+00:00	GitLab Importer	Fixing	VCID-xb7g-snwv-4qcv	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/view_component/CVE-2026-44837.yml	38.6.0
2026-06-04T17:03:48.327936+00:00	GithubOSV Importer	Fixing	VCID-xb7g-snwv-4qcv	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-hg3h-g7xc-f7vp/GHSA-hg3h-g7xc-f7vp.json	38.6.0
2026-06-04T17:03:10.027081+00:00	GithubOSV Importer	Fixing	VCID-667y-n17w-fyfh	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-7f3r-gwc9-2995/GHSA-7f3r-gwc9-2995.json	38.6.0