Zero Day MonitorZDM

← Back to list

5.9

CVE-2026-44837EXPLOITEDPATCHED

github · view_component

view_component: System Test Entry Point Path Check Allows Sibling Directory Escape

Description

view_component is a framework for building reusable, testable, and encapsulated view components in Ruby on Rails. From 3.0.0 to 4.9.0, the system test entrypoint canonicalizes a user-controlled file path with File.realpath, then checks whether the resolved path starts with the temp directory path. This is not a safe containment check because sibling directories can share the same string prefix. This vulnerability is fixed in 4.9.0.

Affected Products

Vendor	Product	Versions
github	view_component	>= 3.0.0, < 4.9.0

References

https://github.com/ViewComponent/view_component/security/advisories/GHSA-hg3h-g7xc-f7vp(x_refsource_CONFIRM)

Related News (1 articles)

Tier C

VulDB3d ago

CVE-2026-44837 | ViewComponent view_component up to 4.8.x on Rails partial string comparison (GHSA-hg3h-g7xc-f7vp)

→ No new info (linked only)

CVSS 3.15.9 MEDIUM

VectorCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA KEV❌ No

Actively exploited✅ Yes

Patch available

view_component@4.9.0

CWECWE-187

PublishedMay 8, 2026

Last enriched3d agov2

Tags

GHSA-hg3h-g7xc-f7vprubygems

Trending Score27

Source articles1

Independent1

Info Completeness9/14

Missing: epss, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

Supply Chain Compromise via Malicious Nx Console Visual Studio Code Extension v18.95.0

CRITICALCVE-2026-8606

Server-Side Request Forgery in GitHub Enterprise Server via Advisory Package URL Endpoint

MEDIUMCVE-2026-44836EXP

view_component: Preview Route Can Dispatch Inherited Helper Methods

NONECVE-2026-9312

Server-Side Request Forgery vulnerability in GitHub Enterprise Server allowed access to internal services via path traversal in upload endpoint

LOWCVE-2026-45803EXP

gh: GitHub Actions log output in `gh run view` allows terminal escape sequence injection

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

May 8, 2026

Discovered by ZDM

May 8, 2026

Updated: affectedVersions, severity, activelyExploited

May 26, 2026

Actively Exploited

May 28, 2026

Patch Available

May 28, 2026

Version History

v2

Last enriched 3d ago

v2Tier C3d ago

Updated affected versions to include 4.8.x, changed severity to HIGH, marked as actively exploited, and noted no exploit available.

affectedVersionsseverityactivelyExploited

via VulDB

v121d ago

Initial creation