CVE-2026-54498 - CERT CVE
ID CVE-2026-54498
Sažetak view_component is a framework for building reusable, testable, and encapsulated view components in Ruby on Rails. From 4.0.0 until 4.12.0, ViewComponent::Base#around_render can return HTML-unsafe strings that bypass the escaping behavior applied to normal #call return values. This creates an XSS risk when downstream applications use around_render to wrap, replace, instrument, or conditionally return content that includes user-controlled data, and ViewComponent::Collection#render_in can amplify the issue by joining per-item results and marking the entire output html_safe, converting raw unsafe output into an ActiveSupport::SafeBuffer. This issue is fixed in version 4.12.0.
Reference
CVSS
Base: 8.7
Impact: 5.8
Exploitability:2.3
Pristup
VektorSloženostAutentikacija
NETWORK LOW LOW
Impact
PovjerljivostCjelovitostDostupnost
HIGH HIGH NONE
CVSS vektor CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
Zadnje važnije ažuriranje 17-07-2026 - 21:17
Objavljeno 17-07-2026 - 21:17