Medium severity5.9NVD Advisory· Published May 26, 2026· Updated Jun 2, 2026
CVE-2026-44837
CVE-2026-44837
Description
view_component is a framework for building reusable, testable, and encapsulated view components in Ruby on Rails. From 3.0.0 to 4.9.0, the system test entrypoint canonicalizes a user-controlled file path with File.realpath, then checks whether the resolved path starts with the temp directory path. This is not a safe containment check because sibling directories can share the same string prefix. This vulnerability is fixed in 4.9.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
view_componentRubyGems | >= 3.0.0, < 4.9.0 | 4.9.0 |
Affected products
9- cpe:2.3:a:viewcomponent:view_component:*:*:*:*:*:ruby:*:*Range: >=3.0.0,<4.9.0
- osv-coords8 versionspkg:apk/chainguard/gitlab-rails-ce-18.11pkg:apk/chainguard/gitlab-rails-ce-18.3pkg:apk/chainguard/gitlab-rails-ce-18.5pkg:apk/chainguard/gitlab-rails-ce-18.6pkg:apk/chainguard/gitlab-rails-ce-fips-18.3pkg:apk/chainguard/gitlab-rails-ce-fips-18.5pkg:apk/chainguard/gitlab-rails-ce-fips-18.8pkg:gem/view_component
< 18.11.2-r1+ 7 more
- (no CPE)range: < 18.11.2-r1
- (no CPE)range: < 18.3.6-r6
- (no CPE)range: < 18.5.5-r3
- (no CPE)range: < 18.6.6-r4
- (no CPE)range: < 18.3.6-r7
- (no CPE)range: < 18.5.5-r3
- (no CPE)range: < 18.8.9-r1
- (no CPE)range: >= 3.0.0, < 4.9.0
Patches
Vulnerability mechanics
References
4- github.com/ViewComponent/view_component/security/advisories/GHSA-hg3h-g7xc-f7vpnvdExploitMitigationVendor AdvisoryWEB
- github.com/advisories/GHSA-hg3h-g7xc-f7vpghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-44837ghsaADVISORY
- github.com/rubysec/ruby-advisory-db/blob/master/gems/view_component/CVE-2026-44837.ymlghsaWEB
News mentions
0No linked articles in our index yet.