Vulnerability in ViewComponent Framework for Ruby on Rails Affecting Multiple Versions
CVE-2026-44836

6.5MEDIUM

Key Information:

Vendor: Viewcomponent
Status: View Component
Vendor: CVE Published:; 26 May 2026

🔔 Create Viewcomponent Vulnerability Alert

What is CVE-2026-44836?

A vulnerability exists in the ViewComponent framework from versions 3.0.0 to 4.9.0, where the preview route improperly derives example names from the URL and utilizes public_send to invoke them. This results in inherited public methods on the ViewComponent::Preview class being accessible through routes. Among these methods, render_with_template can accept parameters derived directly from requests, potentially allowing malicious users to render internal Rails templates that should not be accessible, thereby exposing sensitive application content.

Affected Version(s)

view_component >= 3.0.0, < 4.9.0

References

https://github.com/ViewComponent/view_component/security/...

x_refsource_CONFIRM

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 26, 2026
Vulnerability Reserved
May 7, 2026

CVE-2026-44836 Data

JSON