XSS Vulnerability in Ruby on Rails ViewComponent Framework
CVE-2026-54498

8.7HIGH

Key Information:

Vendor
CVE Published:
17 July 2026

What is CVE-2026-54498?

The ViewComponent framework for Ruby on Rails, from versions 4.0.0 to 4.12.0, is susceptible to Cross-Site Scripting (XSS) attacks due to the improper handling of HTML-unsafe strings returned by the ViewComponent::Base#around_render method. This issue arises when user-controlled data is included in the rendering process, potentially allowing attackers to inject malicious content. Further exacerbating the risk, the ViewComponent::Collection#render_in can combine rendered items and mark the output as html_safe, which can lead to unsafe content being executed in web applications. The vulnerability has been addressed in version 4.12.0.

Affected Version(s)

view_component >= 4.0.0, < 4.12.0

References

CVSS V3.1

Score:
8.7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.