<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>ViewComponent (&gt;= 4.0.0, &lt; 4.12.0) - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/viewcomponent--4.0.0--4.12.0/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 15 Jul 2026 22:52:19 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/viewcomponent--4.0.0--4.12.0/feed.xml" rel="self" type="application/rss+xml"/><item><title>ViewComponent HTML-Safety Bypass Leads to Cross-Site Scripting (CVE-2026-54498)</title><link>https://feed.craftedsignal.io/briefs/2026-07-viewcomponent-xss-bypass/</link><pubDate>Wed, 15 Jul 2026 22:52:19 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-viewcomponent-xss-bypass/</guid><description>A critical HTML-safety bypass vulnerability, CVE-2026-54498, exists in ViewComponent versions prior to 4.12.0, allowing attackers to inject raw HTML via the `around_render` method, bypassing standard escaping and leading to Cross-Site Scripting (XSS) in affected Ruby on Rails applications.</description><content:encoded><![CDATA[<p>A high-severity HTML-safety bypass vulnerability (CVE-2026-54498) has been identified in <code>ViewComponent</code> versions 4.0.0 through 4.11.x, published on July 15, 2026. This flaw allows a specially crafted <code>around_render</code> method within a ViewComponent to return HTML-unsafe strings, thereby circumventing the automatic escaping applied to normal <code>#call</code> return values. Attackers can leverage this bypass to inject arbitrary client-side script (XSS) when an application uses <code>around_render</code> to wrap, replace, or conditionally return content that incorporates user-controlled data. The vulnerability is exacerbated in collection rendering (<code>ViewComponent::Collection#render_in</code>), where the combined output from multiple components is erroneously marked as <code>html_safe</code>, enabling raw, malicious HTML to be treated as trusted content and executed in the user's browser. This poses a significant risk to the integrity of web applications relying on affected ViewComponent versions.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker identifies a target application using <code>ViewComponent</code> and a vulnerable component that overrides the <code>around_render</code> method.</li>
<li>The vulnerable <code>around_render</code> method is designed to return or wrap attacker-influenced HTML-unsafe content, such as a user-supplied message or dynamic data from a database.</li>
<li>The attacker crafts a malicious input (e.g., <code>&lt;img src=x onerror=alert(1)&gt;</code>) that, when processed by the application, will be included in the content returned by the <code>around_render</code> method.</li>
<li>The application renders the component, invoking the <code>around_render</code> method. Due to the vulnerability, the <code>around_render</code> method's output is not passed through the necessary HTML-escaping boundary.</li>
<li>If the component is rendered as part of a collection, the raw, unsafe output from multiple components is joined and then incorrectly marked as <code>html_safe</code> by <code>ViewComponent::Collection#render_in</code>.</li>
<li>The browser receives the server response containing the raw, unescaped malicious HTML, which it interprets and executes, leading to Cross-Site Scripting (XSS).</li>
<li>Successful execution enables various impacts, including session/token theft, authenticated actions as the victim, data exfiltration, or credential phishing within the trusted application origin.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-54498 results in Cross-Site Scripting (XSS) within applications utilizing affected ViewComponent versions. Depending on the application's context and configuration, this can lead to severe consequences. Attackers could steal user session cookies or authentication tokens, perform authenticated actions on behalf of the victim, bypass Cross-Site Request Forgery (CSRF) protections, exfiltrate sensitive page data, or conduct credential phishing and UI redressing attacks from within the legitimate application domain. The risk is particularly elevated for applications that render components through <code>ViewComponent::Collection</code>, as this path actively marks raw malicious HTML as <code>html_safe</code>, preventing any subsequent security controls from sanitizing the output.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li><strong>Patch CVE-2026-54498 immediately</strong> by upgrading <code>rubygems/view_component</code> to version 4.12.0 or later.</li>
<li><strong>Review codebases for vulnerable patterns</strong> where <code>around_render</code> returns or wraps user-controlled, HTML-unsafe content. Specifically inspect components that use <code>around_render</code> for tracing, layout wrapping, feature-flag fallbacks, or instrumentation.</li>
<li><strong>Implement strict input sanitization and output encoding</strong> at the application layer for all user-controlled data, especially when displayed in HTML contexts, even after patching.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>xss</category><category>web-application</category><category>ruby</category><category>vulnerability</category><category>client-side-scripting</category></item></channel></rss>