CVE-2026-44837
Analyzed Analyzed - Analysis Complete
Path Traversal in ViewComponent Ruby Gem

Publication date: 2026-05-26

Last updated on: 2026-06-02

Assigner: GitHub, Inc.

Description
view_component is a framework for building reusable, testable, and encapsulated view components in Ruby on Rails. From 3.0.0 to 4.9.0, the system test entrypoint canonicalizes a user-controlled file path with File.realpath, then checks whether the resolved path starts with the temp directory path. This is not a safe containment check because sibling directories can share the same string prefix. This vulnerability is fixed in 4.9.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-26
Last Modified
2026-06-02
Generated
2026-06-16
AI Q&A
2026-05-27
EPSS Evaluated
2026-06-14
NVD
CVE-2026-44837
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
viewcomponent view_component From 3.0.0 (inc) to 4.9.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-187 The product performs a comparison that only examines a portion of a factor before determining whether there is a match, such as a substring, leading to resultant weaknesses.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

To mitigate this vulnerability, upgrade the view_component framework to version 4.9.0 or later, where the issue has been fixed.

Executive Summary

The vulnerability exists in the view_component framework for Ruby on Rails versions 3.0.0 to 4.9.0. It involves the system test entrypoint which canonicalizes a user-controlled file path using File.realpath and then checks if the resolved path starts with the temporary directory path. However, this containment check is unsafe because sibling directories can share the same string prefix, potentially allowing unauthorized access to files outside the intended directory.

Impact Analysis

This vulnerability can lead to unauthorized file access because the containment check can be bypassed by exploiting directory name prefixes. An attacker might be able to access or manipulate files outside the intended temporary directory, which could result in exposure of sensitive information or other security issues.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-44837. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart