CVE-2026-44837 view_component: System Test Entry Point Path Check Allows Sibling Directory Escape

viewcomponent is a framework for building reusable, testable, and encapsulated view components in Ruby on Rails. From 3.0.0 to 4.9.0, the system test entrypoint canonicalizes a user-controlled file path with File.realpath, then checks whether the resolved path starts with the temp directory path...

CVE-2026-44837 view_component: System Test Entry Point Path Check Allows Sibling Directory Escape

viewcomponent is a framework for building reusable, testable, and encapsulated view components in Ruby on Rails. From 3.0.0 to 4.9.0, the system test entrypoint canonicalizes a user-controlled file path with File.realpath, then checks whether the resolved path starts with the temp directory path...

CVE-2026-44837

ViewComponent CVE-2026-44837 affects Rails ViewComponent from 3.0.0 to 4.9.0. Root cause: system test entrypoint uses File.realpath and starts_with to check the path, which is not a safe containment check and allows potential sibling-directory escapes. Impact: could permit access to files outside...

view_component: System Test Entry Point Path Check Allows Sibling Directory Escape

Summary The system test entrypoint canonicalizes a user-controlled file path with File.realpath, then checks whether the resolved path starts with the temp directory path. This is not a safe containment check because sibling directories can share the same string prefix. Severity: Medium; test-rou...

GHSA-HG3H-G7XC-F7VP view_component: System Test Entry Point Path Check Allows Sibling Directory Escape

Summary The system test entrypoint canonicalizes a user-controlled file path with File.realpath, then checks whether the resolved path starts with the temp directory path. This is not a safe containment check because sibling directories can share the same string prefix. Severity: Medium; test-rou...

view_component - System Test Entry Point Path Check Allows Sibling Directory Escape

The system test entrypoint canonicalizes a user-controlled file path with File.realpath, then checks whether the resolved path starts with the temp directory path. This is not a safe containment check because sibling directories can share the same string prefix. Severity: Medium; test-route scope...

PT-2026-39303

Name of the Vulnerable Software and Affected Versions view component versions 3.0.0 through 4.8.9 Description The system test entrypoint canonicalizes a user-controlled file path using File.realpath and verifies if the resolved path starts with the temporary directory path. This containment check...

org.apache.nifi:nifi-framework-nar (>=1.1.0 <=1.9.2), org.apache.nifi:nifi-jetty (>=1.1.0 <=1.9.2) +3 more potentially affected by CVE-2026-25903 via org.apache.nifi:nifi-web-api (>=1.1.0 <=2.7.2)

org.apache.nifi:nifi-web-api MAVEN version =1.1.0, =1.1.0, =1.1.0, =2.0.0, =1.20.0, =1.20.0, =2.7.2 Source cves: CVE-2026-25903 Source advisory: OSV:GHSA-C5W7-M8WF-XC77...

Linux Distros Unpatched Vulnerability : CVE-2024-26784

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - In the Linux kernel, the following vulnerability has been resolved: pmdomain: arm: Fix NULL dereference on scmiperfdomain removal On unloading of the...

org.apache.nifi:nifi-framework-nar (>=1.1.0 <=1.12.1), org.apache.nifi:nifi-jetty (>=1.1.0 <=1.15.3) +2 more potentially affected by CVE-2024-37389 via org.apache.nifi:nifi-web-ui (>=1.10.0 <=1.26.0)

org.apache.nifi:nifi-web-ui MAVEN version =1.10.0, =1.1.0, =1.1.0, =1.13.0, =1.11.0, =1.26.0 Source cves: CVE-2024-37389 Source advisory: OSV:GHSA-H658-QQV9-QWV8...

org.apache.nifi:nifi-server-nar (=2.0.0-M3), org.apache.nifi:nifi-system-test-suite (>=2.0.0-M1 <=2.0.0-M3) potentially affected by CVE-2024-37389 via org.apache.nifi:nifi-web-ui (>=2.0.0-M1 <=2.0.0-M3)

org.apache.nifi:nifi-web-ui MAVEN version =2.0.0-M1, =2.0.0-M1, =2.0.0-M3 Source cves: CVE-2024-37389 Source advisory: OSV:GHSA-H658-QQV9-QWV8...

CVE-2024-26784

In the Linux kernel, the following vulnerability has been resolved: pmdomain: arm: Fix NULL dereference on scmiperfdomain removal On unloading of the scmiperfdomain module got the below splat, when in the DT provided to the system under test the 'power-domain-cells' property was missing. Indeed,...

CVE-2017-8013

EMC Data Protection Advisor 6.3.x before patch 67 and 6.4.x before patch 130 contains undocumented accounts with hard-coded passwords and various privileges. Affected accounts are: "Apollo System Test", "emc.dpa.agent.logon" and "emc.dpa.metrics.logon". An attacker with knowledge of the password...

EMC Data Protection Advisor < 6.4.130 Hardcoded Password Vulnerability

According to its self-reported version number, the EMC Data Protection Advisor running on the remote host is 6.3.x prior to 6.3 patch 67 or 6.4.x prior to 6.4 patch 130. It is, therefore, affected by a default credential vulnerability due to hardcoded passwords with the Apollo System Test,...

IT-Grundschutz M4.334: SMB Message Signing und Samba

IT-Grundschutz M4.334: SMB Message Signing und Samba Stand: 14. Ergänzungslieferung 14. EL. OpenVAS Vulnerability Test $Id: GSHBM4334.nasl 7883 2017-11-23 11:22:59Z emoss $ IT-Grundschutz, 14. EL, Maßnahme 4.334 Authors: Thomas Rotter Copyright: Copyright c 2015 Greenbone Networks GmbH,...