QSearchQSearch

CVE-2026-44836

6.5 MEDIUM

view_component is a framework for building reusable, testable, and encapsulated view components in Ruby on Rails

Published: 2026-05-26 · Last updated: 2026-06-01

Severity and scoring

CVSS
6.5 MEDIUM
Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CWE
CWE-749

Description

view_component is a framework for building reusable, testable, and encapsulated view components in Ruby on Rails. From 3.0.0 to 4.9.0, the preview route derives an example name from the URL and calls it with public_send. The code does not verify that the requested method is one of the preview examples explicitly defined by the preview class. As a result, inherited public methods on ViewComponent::Preview are route-reachable. The most important one is render_with_template, which accepts template: and locals:. Those values can come from request params and are later passed to Rails as render template:. If previews are exposed, an attacker can render internal Rails templates that are not otherwise routable. This vulnerability is fixed in 4.9.0.

Source: NVD

References

Related CVEs

Same CWE

  • CVE-2026-7516 A vulnerability was identified in the Lenovo Android Application, distributed exclusively on tablets in the Chinese market, that could al... (4.3 MEDIUM)
  • CVE-2026-47899 The Electron preload script in Logseq exposes an API method that allows the renderer process to invoke IPC handlers without proper path v...
  • CVE-2026-44698 Home Assistant is open source home automation software that puts local control and privacy first (8.3 HIGH)
  • CVE-2026-44798 Nautobot is a Network Source of Truth and Network Automation Platform (7.1 HIGH)
  • CVE-2025-14713 An Exposed Dangerous Method or Function vulnerability in Synology C2 Identity Edge Server package in DSM before 1.76.0-0307 allows remote... (7.5 HIGH)