CVE-2026-44837 MEDIUM

CVE-2026-44837: view_component: System Test Entry Point Path Check Allows Sibling Directory Escape

Vendor Viewcomponent
Product view_component
Weakness CWE-187
Published May 26, 2026
Last update May 28, 2026

CVSS base score

5.9/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

view_component is a framework for building reusable, testable, and encapsulated view components in Ruby on Rails. From 3.0.0 to 4.9.0, the system test entrypoint canonicalizes a user-controlled file path with File.realpath, then checks whether the resolved path starts with the temp directory path. This is not a safe containment check because sibling directories can share the same string prefix. This vulnerability is fixed in 4.9.0.

Key dates

02Disclosure timeline

May 26, 2026 CVE published
May 28, 2026 Record updated