Zero Day MonitorZDM

← Back to list

6.5

CVE-2026-44836EXPLOITEDPATCHED

github · view_component

view_component: Preview Route Can Dispatch Inherited Helper Methods

Description

view_component is a framework for building reusable, testable, and encapsulated view components in Ruby on Rails. From 3.0.0 to 4.9.0, the preview route derives an example name from the URL and calls it with public_send. The code does not verify that the requested method is one of the preview examples explicitly defined by the preview class. As a result, inherited public methods on ViewComponent::Preview are route-reachable. The most important one is render_with_template, which accepts template: and locals:. Those values can come from request params and are later passed to Rails as render template:. If previews are exposed, an attacker can render internal Rails templates that are not otherwise routable. This vulnerability is fixed in 4.9.0.

Affected Products

Vendor	Product	Versions
github	view_component	>= 3.0.0, < 4.9.0

References

https://github.com/ViewComponent/view_component/security/advisories/GHSA-7f3r-gwc9-2995(x_refsource_CONFIRM)

Related News (1 articles)

Tier C

VulDB3d ago

CVE-2026-44836 | ViewComponent view_component up to 4.8.x on Rails routine (GHSA-7f3r-gwc9-2995)

→ No new info (linked only)

CVSS 3.16.5 MEDIUM

VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CISA KEV❌ No

Actively exploited✅ Yes

Patch available

null

CWECWE-749

PublishedMay 8, 2026

Last enriched3d agov2

Tags

GHSA-7f3r-gwc9-2995rubygems

Trending Score27

Source articles1

Independent1

Info Completeness9/14

Missing: epss, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

Supply Chain Compromise via Malicious Nx Console Visual Studio Code Extension v18.95.0

CRITICALCVE-2026-8606

Server-Side Request Forgery in GitHub Enterprise Server via Advisory Package URL Endpoint

MEDIUMCVE-2026-44837EXP

view_component: System Test Entry Point Path Check Allows Sibling Directory Escape

NONECVE-2026-9312

Server-Side Request Forgery vulnerability in GitHub Enterprise Server allowed access to internal services via path traversal in upload endpoint

LOWCVE-2026-45803EXP

gh: GitHub Actions log output in `gh run view` allows terminal escape sequence injection

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

May 8, 2026

Discovered by ZDM

May 8, 2026

Updated: affectedVersions, severity, activelyExploited, patchAvailable

May 26, 2026

Actively Exploited

May 27, 2026

Patch Available

May 27, 2026

Version History

v2

Last enriched 3d ago

v2Tier C3d ago

Updated affected versions to < 4.8.x, changed severity to HIGH, and noted that no exploit exists.

affectedVersionsseverityactivelyExploitedpatchAvailable

via VulDB

v121d ago

Initial creation