CVE-2026-54498
Received Received - Intake

ViewComponent XSS Risk via Unsafe around_render Return Values

Vulnerability report for CVE-2026-54498, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-17

Last updated on: 2026-07-17

Assigner: GitHub, Inc.

Description

view_component is a framework for building reusable, testable, and encapsulated view components in Ruby on Rails. From 4.0.0 until 4.12.0, ViewComponent::Base#around_render can return HTML-unsafe strings that bypass the escaping behavior applied to normal #call return values. This creates an XSS risk when downstream applications use around_render to wrap, replace, instrument, or conditionally return content that includes user-controlled data, and ViewComponent::Collection#render_in can amplify the issue by joining per-item results and marking the entire output html_safe, converting raw unsafe output into an ActiveSupport::SafeBuffer. This issue is fixed in version 4.12.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-17
Last Modified
2026-07-17
Generated
2026-07-18
AI Q&A
2026-07-18
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
viewcomponent viewcomponent From 4.0.0 (inc) to 4.12.0 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The vulnerability is in the view_component Ruby on Rails framework. It allows ViewComponent::Base#around_render to return unsafe HTML strings that bypass normal escaping. This creates a cross-site scripting (XSS) risk when user-controlled data is included in content processed by around_render or ViewComponent::Collection#render_in.

Detection Guidance

Check if your Ruby on Rails application uses view_component gem versions between 4.0.0 and 4.12.0. Run bundle list to see installed versions. Inspect code for ViewComponent::Base#around_render or ViewComponent::Collection#render_in usage that may return unsafe strings.

Impact Analysis

This vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users. If your application uses around_render or ViewComponent::Collection#render_in with user-controlled data, attackers might execute arbitrary JavaScript in victims' browsers, leading to data theft or session hijacking.

Compliance Impact

This XSS vulnerability could lead to unauthorized data access or modification, violating GDPR's integrity and confidentiality requirements. For HIPAA, it may compromise protected health information by allowing attackers to exfiltrate data. Both standards require protecting against such vulnerabilities to maintain compliance.

Mitigation Strategies

Upgrade view_component to version 4.12.0 or later. Review custom around_render implementations to ensure they return HTML-safe strings. Audit ViewComponent::Collection#render_in usage for unsafe content handling.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54498. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart