Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
33 changes: 33 additions & 0 deletions gems/view_component/CVE-2026-54497.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
---
gem: view_component
cve: 2026-54497
ghsa: 9h85-g7w3-rh49
url: https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-54497
title: Reused Component Instances Retain Stale Render Context
date: 2026-06-04
description: |
## Summary

ViewComponent::Base instances retain multiple render-scoped objects
across calls to render_in. If the same component, collection, or
spacer component instance is reused across requests, users, tenants,
or threads, later renders can use stale helpers, controller, request,
view_flow, format/variant details, and slot child context from an
earlier render.

This can cause authorization-aware components to render privileged UI
for a lower-privileged user, generate links using a stale Host header,
leak slot/helper state, and mix request context under concurrent rendering.
cvss_v3: 6.8
unaffected_versions:
- "< 4.0.0"
patched_versions:
- ">= 4.12.0"
related:
url:
- https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-54497
- https://github.com/ViewComponent/view_component/releases/tag/v4.12.0
- https://github.com/ViewComponent/view_component/security/advisories/GHSA-9h85-g7w3-rh49
notes: |
- cvss_v3 came from GHSA.
- CVE is reserved, but not published so no non-GHSA cvss values.
33 changes: 33 additions & 0 deletions gems/view_component/CVE-2026-54498.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
---
gem: view_component
cve: 2026-54498
ghsa: 97jw-64cj-jc58
url: https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-54498
title: around_render HTML-Safety Bypass
date: 2026-06-04
description: |
## Summary

ViewComponent::Base#around_render can return HTML-unsafe strings that
bypass the escaping behavior applied to normal #call return values.
This creates an XSS risk when downstream applications use around_render
to wrap, replace, instrument, or conditionally return content that
includes user-controlled data.

The issue is especially dangerous in collection rendering because
ViewComponent::Collection#render_in joins the per-item results and
marks the entire output as html_safe, converting raw unsafe
output into a trusted ActiveSupport::SafeBuffer.
cvss_v3: 8.7
unaffected_versions:
- "< 4.0.0"
patched_versions:
- ">= 4.12.0"
related:
url:
- https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-54498
- https://github.com/ViewComponent/view_component/releases/tag/v4.12.0
- https://github.com/ViewComponent/view_component/security/advisories/GHSA-97jw-64cj-jc58
notes: |
- cvss_v3 came from GHSA.
- CVE is reserved, but not published so no non-GHSA cvss values.