Updated advisory posts against rubysec/ruby-advisory-db@6bb274f

jasnow · RubySec CI · commit e112fc19fab7 · 2026-05-14T15:30:30.000Z
diff --git a/advisories/_posts/2026-05-08-CVE-2026-44836.md b/advisories/_posts/2026-05-08-CVE-2026-44836.md
@@ -0,0 +1,41 @@
+---
+layout: advisory
+title: 'CVE-2026-44836 (view_component): view_component - Preview Route Can Dispatch
+  Inherited Helper Methods'''
+comments: false
+categories:
+- view_component
+advisory:
+  gem: view_component
+  cve: 2026-44836
+  ghsa: 7f3r-gwc9-2995
+  url: https://github.com/ViewComponent/view_component/security/advisories/GHSA-7f3r-gwc9-2995
+  title: view_component - Preview Route Can Dispatch Inherited Helper Methods'
+  date: 2026-05-08
+  description: |-
+    The preview route derives an example name from the URL and calls it
+    with `public_send`. The code does not verify that the requested
+    method is one of the preview examples explicitly defined by the
+    preview class.
+
+    As a result, inherited public methods on `ViewComponent::Preview`
+    are route-reachable. The most important one is `render_with_template`,
+    which accepts `template:` and `locals:`. Those values can come from
+    request params and are later passed to Rails as `render template:`.
+
+    If previews are exposed, an attacker can render internal Rails
+    templates that are not otherwise routable.
+
+    Severity: High if preview routes are externally reachable; Medium otherwise.
+  cvss_v3: 6.5
+  unaffected_versions:
+  - "< 3.0.0"
+  patched_versions:
+  - ">= 4.9.0"
+  related:
+    url:
+    - https://viewcomponent.org/CHANGELOG.html#490
+    - https://github.com/ViewComponent/view_component/releases/tag/v4.9.0
+    - https://github.com/ViewComponent/view_component/security/advisories/GHSA-7f3r-gwc9-2995
+    - https://github.com/advisories/GHSA-7f3r-gwc9-2995
+---
diff --git a/advisories/_posts/2026-05-08-CVE-2026-44837.md b/advisories/_posts/2026-05-08-CVE-2026-44837.md
@@ -0,0 +1,34 @@
+---
+layout: advisory
+title: 'CVE-2026-44837 (view_component): view_component - System Test Entry Point
+  Path Check Allows Sibling Directory Escape'
+comments: false
+categories:
+- view_component
+advisory:
+  gem: view_component
+  cve: 2026-44837
+  ghsa: hg3h-g7xc-f7vp
+  url: https://github.com/ViewComponent/view_component/security/advisories/GHSA-hg3h-g7xc-f7vp
+  title: view_component - System Test Entry Point Path Check Allows Sibling Directory
+    Escape
+  date: 2026-05-08
+  description: |-
+    The system test entrypoint canonicalizes a user-controlled file path
+    with `File.realpath`, then checks whether the resolved path starts
+    with the temp directory path. This is not a safe containment check
+    because sibling directories can share the same string prefix.
+
+    Severity: Medium; test-route scoped.
+  cvss_v3: 5.9
+  unaffected_versions:
+  - "< 3.0.0"
+  patched_versions:
+  - ">= 4.9.0"
+  related:
+    url:
+    - https://viewcomponent.org/CHANGELOG.html#490
+    - https://github.com/ViewComponent/view_component/releases/tag/v4.9.0
+    - https://github.com/ViewComponent/view_component/security/advisories/GHSA-hg3h-g7xc-f7vp
+    - https://github.com/advisories/GHSA-hg3h-g7xc-f7vp
+---
