From 3fa8e05bd79247439ca2bdd06f040659c69d3e35 Mon Sep 17 00:00:00 2001 From: Al Snow <43523+jasnow@users.noreply.github.com> Date: Wed, 8 Jul 2026 15:15:50 -0400 Subject: [PATCH] Two new view_component gem advisories --- gems/view_component/CVE-2026-54497.yml | 33 ++++++++++++++++++++++++++ gems/view_component/CVE-2026-54498.yml | 33 ++++++++++++++++++++++++++ 2 files changed, 66 insertions(+) create mode 100644 gems/view_component/CVE-2026-54497.yml create mode 100644 gems/view_component/CVE-2026-54498.yml diff --git a/gems/view_component/CVE-2026-54497.yml b/gems/view_component/CVE-2026-54497.yml new file mode 100644 index 0000000000..89aa579f9c --- /dev/null +++ b/gems/view_component/CVE-2026-54497.yml @@ -0,0 +1,33 @@ +--- +gem: view_component +cve: 2026-54497 +ghsa: 9h85-g7w3-rh49 +url: https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-54497 +title: Reused Component Instances Retain Stale Render Context +date: 2026-06-04 +description: | + ## Summary + + ViewComponent::Base instances retain multiple render-scoped objects + across calls to render_in. If the same component, collection, or + spacer component instance is reused across requests, users, tenants, + or threads, later renders can use stale helpers, controller, request, + view_flow, format/variant details, and slot child context from an + earlier render. + + This can cause authorization-aware components to render privileged UI + for a lower-privileged user, generate links using a stale Host header, + leak slot/helper state, and mix request context under concurrent rendering. +cvss_v3: 6.8 +unaffected_versions: + - "< 4.0.0" +patched_versions: + - ">= 4.12.0" +related: + url: + - https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-54497 + - https://github.com/ViewComponent/view_component/releases/tag/v4.12.0 + - https://github.com/ViewComponent/view_component/security/advisories/GHSA-9h85-g7w3-rh49 +notes: | + - cvss_v3 came from GHSA. + - CVE is reserved, but not published so no non-GHSA cvss values. diff --git a/gems/view_component/CVE-2026-54498.yml b/gems/view_component/CVE-2026-54498.yml new file mode 100644 index 0000000000..ad38852fab --- /dev/null +++ b/gems/view_component/CVE-2026-54498.yml @@ -0,0 +1,33 @@ +--- +gem: view_component +cve: 2026-54498 +ghsa: 97jw-64cj-jc58 +url: https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-54498 +title: around_render HTML-Safety Bypass +date: 2026-06-04 +description: | + ## Summary + + ViewComponent::Base#around_render can return HTML-unsafe strings that + bypass the escaping behavior applied to normal #call return values. + This creates an XSS risk when downstream applications use around_render + to wrap, replace, instrument, or conditionally return content that + includes user-controlled data. + + The issue is especially dangerous in collection rendering because + ViewComponent::Collection#render_in joins the per-item results and + marks the entire output as html_safe, converting raw unsafe + output into a trusted ActiveSupport::SafeBuffer. +cvss_v3: 8.7 +unaffected_versions: + - "< 4.0.0" +patched_versions: + - ">= 4.12.0" +related: + url: + - https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-54498 + - https://github.com/ViewComponent/view_component/releases/tag/v4.12.0 + - https://github.com/ViewComponent/view_component/security/advisories/GHSA-97jw-64cj-jc58 +notes: | + - cvss_v3 came from GHSA. + - CVE is reserved, but not published so no non-GHSA cvss values.