🟠 《高危安全漏洞:CVE-2026-54498》

CVSS 评分: 高危(8.7)  状态: Received  发布时间: 2026-07-17


漏洞描述

view_component is a framework for building reusable, testable, and encapsulated view components in Ruby on Rails. From 4.0.0 until 4.12.0, ViewComponent::Base#around_render can return HTML-unsafe strings that bypass the escaping behavior applied to normal #call return values. This creates an XSS risk when downstream applications use around_render to wrap, replace, instrument, or conditionally return content that includes user-controlled data, and ViewComponent::Collection#render_in can amplify the issue by joining per-item results and marking the entire output html_safe, converting raw unsafe output into an ActiveSupport::SafeBuffer. This issue is fixed in version 4.12.0.


🔍 技术细节

字段
CVE ID CVE-2026-54498
CVSS 评分 8.7 🟠
严重程度 高危
CVSS 向量 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
CWE 分类 CWE-79
发布时间 2026-07-17
最后更新 2026-07-17
状态 Received
数据来源 security-advisories@github.com

🔗 参考链接