CVE-2026-44837 (view_component): view_component - System Test Entry Point Path Check Allows Sibling Directory Escape

view_component - System Test Entry Point Path Check Allows Sibling Directory Escape

Published: May 08, 2026

SECURITY IDENTIFIERS

CVE: CVE-2026-44837 (NVD)
GHSA: GHSA-hg3h-g7xc-f7vp
Vendor Advisory: https://github.com/ViewComponent/view_component/security/advisories/GHSA-hg3h-g7xc-f7vp

GEM

view_component

SEVERITY

CVSS v3.x: 5.9 (Medium)

UNAFFECTED VERSIONS

< 3.0.0

PATCHED VERSIONS

>= 4.9.0

DESCRIPTION

The system test entrypoint canonicalizes a user-controlled file path with File.realpath, then checks whether the resolved path starts with the temp directory path. This is not a safe containment check because sibling directories can share the same string prefix.

Severity: Medium; test-route scoped.

https://viewcomponent.org/CHANGELOG.html#490
https://github.com/ViewComponent/view_component/releases/tag/v4.9.0
https://github.com/ViewComponent/view_component/security/advisories/GHSA-hg3h-g7xc-f7vp
https://github.com/advisories/GHSA-hg3h-g7xc-f7vp

RubySec