Source: ruby-view-component Version: 4.8.0-1 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerabilities were published for ruby-view-component. CVE-2026-44836[0]: | view_component is a framework for building reusable, testable, and | encapsulated view components in Ruby on Rails. From 3.0.0 to 4.9.0, | the preview route derives an example name from the URL and calls it | with public_send. The code does not verify that the requested method | is one of the preview examples explicitly defined by the preview | class. As a result, inherited public methods on | ViewComponent::Preview are route-reachable. The most important one | is render_with_template, which accepts template: and locals:. Those | values can come from request params and are later passed to Rails as | render template:. If previews are exposed, an attacker can render | internal Rails templates that are not otherwise routable. This | vulnerability is fixed in 4.9.0. CVE-2026-44837[1]: | view_component is a framework for building reusable, testable, and | encapsulated view components in Ruby on Rails. From 3.0.0 to 4.9.0, | the system test entrypoint canonicalizes a user-controlled file path | with File.realpath, then checks whether the resolved path starts | with the temp directory path. This is not a safe containment check | because sibling directories can share the same string prefix. This | vulnerability is fixed in 4.9.0. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-44836 https://www.cve.org/CVERecord?id=CVE-2026-44836 [1] https://security-tracker.debian.org/tracker/CVE-2026-44837 https://www.cve.org/CVERecord?id=CVE-2026-44837 Regards, Salvatore
