## Summary view_component versions 3.0.0 through 4.9.0 contain a path traversal vulnerability in the system test entrypoint. The application uses `File.realpath` to canonicalize a user-controlled file path, then performs a prefix-based check against the temp directory path. This containment check is unsafe because sibling directories can share the same string prefix, allowing an attacker to access files o [truncated]
CVE-2026-44836 is a medium-severity vulnerability in the view_component Ruby gem affecting versions 3.0.0 through 4.9.0. The issue stems from improper method authorization in the preview route functionality. When preview routes are enabled, the application derives an example name from the URL and invokes it via public_send without verifying that the requested method is explicitly defined as a preview exam [truncated]
