Advisory Database
  • Advisories
  • Dependency Scanning
  1. gem
  2. ›
  3. view_component
  4. ›
  5. CVE-2026-54498

CVE-2026-54498: ViewComponent: around_render HTML-Safety Bypass

July 15, 2026

ViewComponent::Base#around_render can return HTML-unsafe strings that bypass the escaping behavior applied to normal #call return values. This creates an XSS risk when downstream applications use around_render to wrap, replace, instrument, or conditionally return content that includes user-controlled data.

The issue is especially dangerous in collection rendering because ViewComponent::Collection#render_in joins the per-item results and marks the entire output as html_safe, converting raw unsafe output into a trusted ActiveSupport::SafeBuffer.

References

  • github.com/ViewComponent/view_component/commit/48e5fd2d602344c7d33019fbc5c8b087e315bb78
  • github.com/ViewComponent/view_component/releases/tag/v4.12.0
  • github.com/ViewComponent/view_component/security/advisories/GHSA-97jw-64cj-jc58
  • github.com/advisories/GHSA-97jw-64cj-jc58
  • github.com/rubysec/ruby-advisory-db/blob/master/gems/view_component/CVE-2026-54498.yml
  • nvd.nist.gov/vuln/detail/CVE-2026-54498
  • www.cve.org/CVERecord/SearchResults?query=CVE-2026-54498

Code Behaviors & Features

Detect and mitigate CVE-2026-54498 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →

Affected versions

All versions starting from 4.0.0 before 4.12.0

Fixed versions

  • 4.12.0

Solution

Upgrade to version 4.12.0 or above.

Impact 8.7 HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

Learn more about CVSS

Weakness

  • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Source file

gem/view_component/CVE-2026-54498.yml

Spotted a mistake? Edit the file on GitLab.

  • Site Repo
  • About GitLab
  • Terms
  • Privacy Statement
  • Contact

Page generated Thu, 16 Jul 2026 12:16:42 +0000.