CVE-2026-54498: ViewComponent: around_render HTML-Safety Bypass
ViewComponent::Base#around_render can return HTML-unsafe strings that bypass the escaping behavior applied to normal #call return values. This creates an XSS risk when downstream applications use around_render to wrap, replace, instrument, or conditionally return content that includes user-controlled data.
The issue is especially dangerous in collection rendering because ViewComponent::Collection#render_in joins the per-item results and marks the entire output as html_safe, converting raw unsafe output into a trusted ActiveSupport::SafeBuffer.
References
- github.com/ViewComponent/view_component/commit/48e5fd2d602344c7d33019fbc5c8b087e315bb78
- github.com/ViewComponent/view_component/releases/tag/v4.12.0
- github.com/ViewComponent/view_component/security/advisories/GHSA-97jw-64cj-jc58
- github.com/advisories/GHSA-97jw-64cj-jc58
- github.com/rubysec/ruby-advisory-db/blob/master/gems/view_component/CVE-2026-54498.yml
- nvd.nist.gov/vuln/detail/CVE-2026-54498
- www.cve.org/CVERecord/SearchResults?query=CVE-2026-54498
Code Behaviors & Features
Detect and mitigate CVE-2026-54498 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →