RubyGems package
view_component
pkg:gem/view_component
Vulnerabilities (4)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-44837 | med | — | >= 3.0.0, < 4.9.0 | 4.9.0 | May 8, 2026 | ### Summary The system test entrypoint canonicalizes a user-controlled file path with `File.realpath`, then checks whether the resolved path starts with the temp directory path. This is not a safe containment check because sibling directories can share the same string prefix. S | |
| CVE-2026-44836 | med | — | >= 3.0.0, < 4.9.0 | 4.9.0 | May 8, 2026 | ### Summary The preview route derives an example name from the URL and calls it with `public_send`. The code does not verify that the requested method is one of the preview examples explicitly defined by the preview class. As a result, inherited public methods on `ViewComponent | |
| CVE-2024-21636 | — | >= 3.0.0, < 3.9.0 | 3.9.0 | Jan 4, 2024 | view_component is a framework for building reusable, testable, and encapsulated view components in Ruby on Rails. Versions prior to 3.9.0 and 2.83.0 have a cross-site scripting vulnerability that has the potential to impact anyone rendering a component directly from a controller | ||
| CVE-2022-24722 | — | >= 2.31.0, < 2.31.2 | 2.31.2 | Mar 2, 2022 | VIewComponent is a framework for building view components in Ruby on Rails. Versions prior to 2.31.2 and 2.49.1 contain a cross-site scripting vulnerability that has the potential to impact anyone using translations with the view_component gem. Data received via user input and pa |
- affected >= 3.0.0, < 4.9.0fixed 4.9.0
### Summary The system test entrypoint canonicalizes a user-controlled file path with `File.realpath`, then checks whether the resolved path starts with the temp directory path. This is not a safe containment check because sibling directories can share the same string prefix. S
- affected >= 3.0.0, < 4.9.0fixed 4.9.0
### Summary The preview route derives an example name from the URL and calls it with `public_send`. The code does not verify that the requested method is one of the preview examples explicitly defined by the preview class. As a result, inherited public methods on `ViewComponent
- CVE-2024-21636Jan 4, 2024affected >= 3.0.0, < 3.9.0fixed 3.9.0
view_component is a framework for building reusable, testable, and encapsulated view components in Ruby on Rails. Versions prior to 3.9.0 and 2.83.0 have a cross-site scripting vulnerability that has the potential to impact anyone rendering a component directly from a controller
- CVE-2022-24722Mar 2, 2022affected >= 2.31.0, < 2.31.2fixed 2.31.2
VIewComponent is a framework for building view components in Ruby on Rails. Versions prior to 2.31.2 and 2.49.1 contain a cross-site scripting vulnerability that has the potential to impact anyone using translations with the view_component gem. Data received via user input and pa