AIKIDO-2026-11166
view_component is vulnerable to Cross-Site Scripting (XSS)
87
High Risk
This Affects:
view_componentTL;DR
ViewComponent's around_render hook can return HTML-unsafe strings that bypass the escaping applied to normal #call output. When applications use around_render to wrap or replace rendered content with attacker-influenced data, raw HTML may reach browser responses. Collection rendering amplifies the issue by joining per-item results and marking the combined output html_safe. The fix escapes unsafe around_render return values and uses safe_join in Collection#render_in so unsafe per-item output cannot be laundered into a trusted buffer.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range and your application defines or uses components that override around_render with content that can include attacker-influenced HTML.
Background info
view_component is vulnerable to Cross-Site Scripting (XSS) in versions 4.0.0 - 4.11.0.
How to fix this
Upgrade the view_component library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant