Backport security fixes for GHSA-7f3r-gwc9-2995 and GHSA-hg3h-g7xc-f7vp to 3.x

[kwent]

Request

Backport security fixes for the following advisories to the 3.x branch:

• GHSA-7f3r-gwc9-2995 (CVE-2026-44836, CVSS 6.5) — Preview route allows invoking inherited methods like render_with_template via public_send, enabling rendering of arbitrary Rails templates.
• GHSA-hg3h-g7xc-f7vp (CVE-2026-44837, CVSS 5.9) — ViewComponentsSystemTestController uses start_with? for path containment, allowing sibling-directory path traversal.

Affected versions

Both advisories list affected versions as >= 3.0.0, fixed only in 4.9.0. The latest 3.x release (v3.24.0) remains vulnerable, and there is no patched 3.x line.

Why a backport

v4.0.0 is a major release with breaking changes (removal of render_component/render monkey patches, use_helper(s) removal, generator namespace rename, lookup_context-based template selection, Rails >= 7.1 / Ruby >= 3.2 floor, Nokogiri::HTML5 in test helpers). Applications still on 3.x cannot adopt 4.x without coordinated migration work, leaving them exposed to two moderate-severity advisories with no upgrade path that is purely a security patch.

A 3.24.1 (or 3.25.0) containing only the security fixes would let teams on the 3.x line patch without taking on the 4.x migration in the same change.

Proposed scope

• Cherry-pick or re-apply the two security fixes onto the 3-x-stable branch.
• Release as a patch on 3.x.
• Update the advisories' "Patched versions" to include the backport.

Happy to help test against a release candidate.