ViewComponent implements a system test entry point that sanitizes a user‑controlled file path with File.realpath and then verifies that the resolved path starts with the temporary directory prefix. This containment check is not safe because sibling directories can share the same string prefix, allowing an attacker to craft a path that resolves to a sibling of the intended temp directory. The result is an unintended disclosure or modification of files outside the test sandbox, classified as CWE‑187 – Improper Restriction of Operations within the Bounds of a Resource. The CVSS score of 5.9 indicates the vulnerability is of moderate severity.

The flaw persists in ViewComponent versions 3.0.0 through 4.9.0. Systems that have not upgraded to the 4.9.0 release, which implements the correct containment logic, are vulnerable. No specific operating system or deployment environment is excluded; the issue solely depends on the ViewComponent library version in use.

The CVSS score of 5.9 reflects moderate risk, while no EPSS score is available and the flaw is not listed in the CISA KEV catalog, suggesting a lower likelihood of current exploitation. Based on the description, it is inferred that the attacker must control or influence the file path supplied to the system test entry point, typically by injecting custom test data or tampering with the test execution environment. Consequently, the exploitation window is limited to environments where the test harness is exposed to untrusted input or where an attacker can manipulate test configuration.