XSS Vulnerability in Ruby on Rails ViewComponent Framework
CVE-2026-54498
8.7HIGH
What is CVE-2026-54498?
The ViewComponent framework for Ruby on Rails, from versions 4.0.0 to 4.12.0, is susceptible to Cross-Site Scripting (XSS) attacks due to the improper handling of HTML-unsafe strings returned by the ViewComponent::Base#around_render method. This issue arises when user-controlled data is included in the rendering process, potentially allowing attackers to inject malicious content. Further exacerbating the risk, the ViewComponent::Collection#render_in can combine rendered items and mark the output as html_safe, which can lead to unsafe content being executed in web applications. The vulnerability has been addressed in version 4.12.0.
Affected Version(s)
view_component >= 4.0.0, < 4.12.0
