{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/viewcomponent--4.0.0--4.12.0/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["ViewComponent (\u003e= 4.0.0, \u003c 4.12.0)"],"_cs_severities":["high"],"_cs_tags":["xss","web-application","ruby","vulnerability","client-side-scripting"],"_cs_type":"advisory","_cs_vendors":["ViewComponent"],"content_html":"\u003cp\u003eA high-severity HTML-safety bypass vulnerability (CVE-2026-54498) has been identified in \u003ccode\u003eViewComponent\u003c/code\u003e versions 4.0.0 through 4.11.x, published on July 15, 2026. This flaw allows a specially crafted \u003ccode\u003earound_render\u003c/code\u003e method within a ViewComponent to return HTML-unsafe strings, thereby circumventing the automatic escaping applied to normal \u003ccode\u003e#call\u003c/code\u003e return values. Attackers can leverage this bypass to inject arbitrary client-side script (XSS) when an application uses \u003ccode\u003earound_render\u003c/code\u003e to wrap, replace, or conditionally return content that incorporates user-controlled data. The vulnerability is exacerbated in collection rendering (\u003ccode\u003eViewComponent::Collection#render_in\u003c/code\u003e), where the combined output from multiple components is erroneously marked as \u003ccode\u003ehtml_safe\u003c/code\u003e, enabling raw, malicious HTML to be treated as trusted content and executed in the user's browser. This poses a significant risk to the integrity of web applications relying on affected ViewComponent versions.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a target application using \u003ccode\u003eViewComponent\u003c/code\u003e and a vulnerable component that overrides the \u003ccode\u003earound_render\u003c/code\u003e method.\u003c/li\u003e\n\u003cli\u003eThe vulnerable \u003ccode\u003earound_render\u003c/code\u003e method is designed to return or wrap attacker-influenced HTML-unsafe content, such as a user-supplied message or dynamic data from a database.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious input (e.g., \u003ccode\u003e\u0026lt;img src=x onerror=alert(1)\u0026gt;\u003c/code\u003e) that, when processed by the application, will be included in the content returned by the \u003ccode\u003earound_render\u003c/code\u003e method.\u003c/li\u003e\n\u003cli\u003eThe application renders the component, invoking the \u003ccode\u003earound_render\u003c/code\u003e method. Due to the vulnerability, the \u003ccode\u003earound_render\u003c/code\u003e method's output is not passed through the necessary HTML-escaping boundary.\u003c/li\u003e\n\u003cli\u003eIf the component is rendered as part of a collection, the raw, unsafe output from multiple components is joined and then incorrectly marked as \u003ccode\u003ehtml_safe\u003c/code\u003e by \u003ccode\u003eViewComponent::Collection#render_in\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe browser receives the server response containing the raw, unescaped malicious HTML, which it interprets and executes, leading to Cross-Site Scripting (XSS).\u003c/li\u003e\n\u003cli\u003eSuccessful execution enables various impacts, including session/token theft, authenticated actions as the victim, data exfiltration, or credential phishing within the trusted application origin.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-54498 results in Cross-Site Scripting (XSS) within applications utilizing affected ViewComponent versions. Depending on the application's context and configuration, this can lead to severe consequences. Attackers could steal user session cookies or authentication tokens, perform authenticated actions on behalf of the victim, bypass Cross-Site Request Forgery (CSRF) protections, exfiltrate sensitive page data, or conduct credential phishing and UI redressing attacks from within the legitimate application domain. The risk is particularly elevated for applications that render components through \u003ccode\u003eViewComponent::Collection\u003c/code\u003e, as this path actively marks raw malicious HTML as \u003ccode\u003ehtml_safe\u003c/code\u003e, preventing any subsequent security controls from sanitizing the output.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003ePatch CVE-2026-54498 immediately\u003c/strong\u003e by upgrading \u003ccode\u003erubygems/view_component\u003c/code\u003e to version 4.12.0 or later.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eReview codebases for vulnerable patterns\u003c/strong\u003e where \u003ccode\u003earound_render\u003c/code\u003e returns or wraps user-controlled, HTML-unsafe content. Specifically inspect components that use \u003ccode\u003earound_render\u003c/code\u003e for tracing, layout wrapping, feature-flag fallbacks, or instrumentation.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImplement strict input sanitization and output encoding\u003c/strong\u003e at the application layer for all user-controlled data, especially when displayed in HTML contexts, even after patching.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-15T22:52:19Z","date_published":"2026-07-15T22:52:19Z","id":"https://feed.craftedsignal.io/briefs/2026-07-viewcomponent-xss-bypass/","summary":"A critical HTML-safety bypass vulnerability, CVE-2026-54498, exists in ViewComponent versions prior to 4.12.0, allowing attackers to inject raw HTML via the `around_render` method, bypassing standard escaping and leading to Cross-Site Scripting (XSS) in affected Ruby on Rails applications.","title":"ViewComponent HTML-Safety Bypass Leads to Cross-Site Scripting (CVE-2026-54498)","url":"https://feed.craftedsignal.io/briefs/2026-07-viewcomponent-xss-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed - ViewComponent (\u003e= 4.0.0, \u003c 4.12.0)","version":"https://jsonfeed.org/version/1.1"}