CVE-2026-44836 - Vulnerability Details

Description

view_component is a framework for building reusable, testable, and encapsulated view components in Ruby on Rails. From 3.0.0 to 4.9.0, the preview route derives an example name from the URL and calls it with public_send. The code does not verify that the requested method is one of the preview examples explicitly defined by the preview class. As a result, inherited public methods on ViewComponent::Preview are route-reachable. The most important one is render_with_template, which accepts template: and locals:. Those values can come from request params and are later passed to Rails as render template:. If previews are exposed, an attacker can render internal Rails templates that are not otherwise routable. This vulnerability is fixed in 4.9.0.

Published: 2026-05-26

Score: 6.5 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

view_component, a Ruby on Rails framework, allows rendering arbitrary previews via the preview route from versions 3.0.0 through 4.9.0. The route derives an example name from the URL and calls it with public_send without checking whether the method exists in the preview class. An attacker can invoke inherited public methods such as render_with_template, which accepts template and locals parameters from the request. Those values are later passed to Rails as render template, enabling the attacker to render internal Rails templates that are otherwise not routable, potentially exposing sensitive information or code execution vectors.

Affected Systems

The vulnerability affects the ViewComponent library for Ruby on Rails. All releases between 3.0.0 and 4.9.0 are affected. The issue was resolved in version 4.9.0. No other vendors or products are listed.

Risk and Exploitability

The CVSS score of 6.5 indicates medium severity, while no EPSS score is available and the vulnerability is not listed in CISA's KEV catalog. The likely attack vector is a crafted HTTP request to the preview route, which an attacker can use if previews are exposed to the public. Successful exploitation would allow rendering of arbitrary internal templates, leading to information disclosure or potential code execution, depending on the template contents.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

ViewComponent

view_component

affected

Version	Status	Constraints
`>= 3.0.0, < 4.9.0`	affected	—

No data.

Vendor Product Confidence Versions

Viewcomponent

View Component

100%

Version	Status	Scheme	Platform
`[3.0.0,4.9.0)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade ViewComponent to release 4.9.0 or later.
Disable or restrict access to the preview routes in production environments.
If upgrading immediately is not possible, restrict the preview route to a protected admin area or remove the public_send call by manually whitelisting preview methods.

Generated by OpenCVE AI on May 26, 2026 at 21:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-7f3r-gwc9-2995	view_component: Preview Route Can Dispatch Inherited Helper Methods

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/ViewComponent/view_component/security/advisories/GHSA-7f3r-gwc9-2995

History

Tue, 26 May 2026 21:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Viewcomponent Viewcomponent view Component
Vendors & Products		Viewcomponent Viewcomponent view Component

Tue, 26 May 2026 20:30:00 +0000

Type	Values Removed	Values Added
Description		view_component is a framework for building reusable, testable, and encapsulated view components in Ruby on Rails. From 3.0.0 to 4.9.0, the preview route derives an example name from the URL and calls it with public_send. The code does not verify that the requested method is one of the preview examples explicitly defined by the preview class. As a result, inherited public methods on ViewComponent::Preview are route-reachable. The most important one is render_with_template, which accepts template: and locals:. Those values can come from request params and are later passed to Rails as render template:. If previews are exposed, an attacker can render internal Rails templates that are not otherwise routable. This vulnerability is fixed in 4.9.0.
Title		view_component: Preview Route Can Dispatch Inherited Helper Methods
Weaknesses		CWE-749
References		https://github.com/ViewComponent/view_component/security/advisories/GHSA-7f3r-gwc9-2995
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}`

Subscriptions

Viewcomponent View Component

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-05-26T19:43:58.008Z

Updated: 2026-05-26T19:43:58.008Z

Reserved: 2026-05-07T21:21:48.352Z

Link: CVE-2026-44836

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-26T21:16:38.710

Modified: 2026-05-26T21:16:38.710

Link: CVE-2026-44836

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-26T21:30:16Z

Weaknesses

CWE-749

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object