Skip to content

Commit d5f9c05

Browse files
jasnowRubySec CI
authored andcommitted
Updated advisory posts against rubysec/ruby-advisory-db@6471a8b
1 parent 6fce610 commit d5f9c05

2 files changed

Lines changed: 81 additions & 0 deletions

File tree

Lines changed: 41 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,41 @@
1+
---
2+
layout: advisory
3+
title: 'CVE-2026-54497 (view_component): Reused Component Instances Retain Stale Render
4+
Context'
5+
comments: false
6+
categories:
7+
- view_component
8+
advisory:
9+
gem: view_component
10+
cve: 2026-54497
11+
ghsa: 9h85-g7w3-rh49
12+
url: https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-54497
13+
title: Reused Component Instances Retain Stale Render Context
14+
date: 2026-06-04
15+
description: |-
16+
## Summary
17+
18+
ViewComponent::Base instances retain multiple render-scoped objects
19+
across calls to render_in. If the same component, collection, or
20+
spacer component instance is reused across requests, users, tenants,
21+
or threads, later renders can use stale helpers, controller, request,
22+
view_flow, format/variant details, and slot child context from an
23+
earlier render.
24+
25+
This can cause authorization-aware components to render privileged UI
26+
for a lower-privileged user, generate links using a stale Host header,
27+
leak slot/helper state, and mix request context under concurrent rendering.
28+
cvss_v3: 6.8
29+
unaffected_versions:
30+
- "< 4.0.0"
31+
patched_versions:
32+
- ">= 4.12.0"
33+
related:
34+
url:
35+
- https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-54497
36+
- https://github.com/ViewComponent/view_component/releases/tag/v4.12.0
37+
- https://github.com/ViewComponent/view_component/security/advisories/GHSA-9h85-g7w3-rh49
38+
notes: |
39+
- cvss_v3 came from GHSA.
40+
- CVE is reserved, but not published so no non-GHSA cvss values.
41+
---
Lines changed: 40 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,40 @@
1+
---
2+
layout: advisory
3+
title: 'CVE-2026-54498 (view_component): around_render HTML-Safety Bypass'
4+
comments: false
5+
categories:
6+
- view_component
7+
advisory:
8+
gem: view_component
9+
cve: 2026-54498
10+
ghsa: 97jw-64cj-jc58
11+
url: https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-54498
12+
title: around_render HTML-Safety Bypass
13+
date: 2026-06-04
14+
description: |-
15+
## Summary
16+
17+
ViewComponent::Base#around_render can return HTML-unsafe strings that
18+
bypass the escaping behavior applied to normal #call return values.
19+
This creates an XSS risk when downstream applications use around_render
20+
to wrap, replace, instrument, or conditionally return content that
21+
includes user-controlled data.
22+
23+
The issue is especially dangerous in collection rendering because
24+
ViewComponent::Collection#render_in joins the per-item results and
25+
marks the entire output as html_safe, converting raw unsafe
26+
output into a trusted ActiveSupport::SafeBuffer.
27+
cvss_v3: 8.7
28+
unaffected_versions:
29+
- "< 4.0.0"
30+
patched_versions:
31+
- ">= 4.12.0"
32+
related:
33+
url:
34+
- https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-54498
35+
- https://github.com/ViewComponent/view_component/releases/tag/v4.12.0
36+
- https://github.com/ViewComponent/view_component/security/advisories/GHSA-97jw-64cj-jc58
37+
notes: |
38+
- cvss_v3 came from GHSA.
39+
- CVE is reserved, but not published so no non-GHSA cvss values.
40+
---

0 commit comments

Comments
 (0)