rubysec · flavorjones · May 14, 2026 · May 13, 2026
diff --git a/gems/view_component/CVE-2026-44836.yml b/gems/view_component/CVE-2026-44836.yml
@@ -0,0 +1,33 @@
+---
+gem: view_component
+cve: 2026-44836
+ghsa: 7f3r-gwc9-2995
+url: https://github.com/ViewComponent/view_component/security/advisories/GHSA-7f3r-gwc9-2995
+title: view_component - Preview Route Can Dispatch Inherited Helper Methods'
+date: 2026-05-08
+description: |
+  The preview route derives an example name from the URL and calls it
+  with `public_send`. The code does not verify that the requested
+  method is one of the preview examples explicitly defined by the
+  preview class.
+
+  As a result, inherited public methods on `ViewComponent::Preview`
+  are route-reachable. The most important one is `render_with_template`,
+  which accepts `template:` and `locals:`. Those values can come from
+  request params and are later passed to Rails as `render template:`.
+
+  If previews are exposed, an attacker can render internal Rails
+  templates that are not otherwise routable.
+
+  Severity: High if preview routes are externally reachable; Medium otherwise.
+cvss_v3: 6.5
+unaffected_versions:
+  - "< 3.0.0"
+patched_versions:
+  - ">= 4.9.0"
+related:
+  url:
+    - https://viewcomponent.org/CHANGELOG.html#490
+    - https://github.com/ViewComponent/view_component/releases/tag/v4.9.0
+    - https://github.com/ViewComponent/view_component/security/advisories/GHSA-7f3r-gwc9-2995
+    - https://github.com/advisories/GHSA-7f3r-gwc9-2995
diff --git a/gems/view_component/CVE-2026-44837.yml b/gems/view_component/CVE-2026-44837.yml
@@ -0,0 +1,26 @@
+---
+gem: view_component
+cve: 2026-44837
+ghsa: hg3h-g7xc-f7vp
+url: https://github.com/ViewComponent/view_component/security/advisories/GHSA-hg3h-g7xc-f7vp
+title: view_component - System Test Entry Point Path Check Allows
+  Sibling Directory Escape
+date: 2026-05-08
+description: |
+  The system test entrypoint canonicalizes a user-controlled file path
+  with `File.realpath`, then checks whether the resolved path starts
+  with the temp directory path. This is not a safe containment check
+  because sibling directories can share the same string prefix.
+
+  Severity: Medium; test-route scoped.
+cvss_v3: 5.9
+unaffected_versions:
+  - "< 3.0.0"
+patched_versions:
+  - ">= 4.9.0"
+related:
+  url:
+    - https://viewcomponent.org/CHANGELOG.html#490
+    - https://github.com/ViewComponent/view_component/releases/tag/v4.9.0
+    - https://github.com/ViewComponent/view_component/security/advisories/GHSA-hg3h-g7xc-f7vp
+    - https://github.com/advisories/GHSA-hg3h-g7xc-f7vp