CVE-2026-44836

Name of the Vulnerable Software and Affected Versions view component versions 3.0.0 through 4.8.x

Description The preview route derives an example name from the URL and invokes it using public send without verifying if the requested method is an explicitly defined preview example. This allows inherited public methods on ViewComponent::Preview to be reachable via routes. Specifically, the render with template() function can be accessed, which accepts template: and locals: parameters. These values can be supplied via request parameters and passed to Rails as render template:. If previews are exposed, an attacker can render internal Rails templates that are not otherwise routable, potentially exposing secrets, configuration, debug data, or admin-only partials.

Recommendations Update view component to version 4.9.0. As a temporary workaround, restrict external access to preview routes to minimize the risk of exploitation.