CVE-2026-41316 — Vulnetix

CVE-2026-41316 PUBLISHED CVSS 8.100000381469727 HIGH

ERB is a templating system for Ruby. Ruby 2.7.0 (before ERB 2.2.0 was published on rubygems.org) introduced an `@_init` instance variable guard in `ERB#result` and `ERB#run` to prevent code execution when an ERB object is reconstructed via `Marshal.load` (deserialization). However, three other public methods that also evaluate `@src` via `eval()` were not given the same guard: `ERB#def_method`, `ERB#def_module`, and `ERB#def_class`. An attacker who can trigger `Marshal.load` on untrusted data in a Ruby application that has `erb` loaded can use `ERB#def_module` (zero-arg, default parameters) as a code execution sink, bypassing the `@_init` protection entirely. ERB 4.0.3.1, 4.0.4.1, 6.0.1.1, and 6.0.4 patch the issue.

EPSS 0.05% · 15.1th percentile

Risk Scores

CVSS v3.1

8.100000381469727

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score

0.05%

15.1th percentile

Affected Products

Vendor	Product	Versions
ruby	erb	< 4.0.3.1, = 4.0.4, >= 5.0.0, < 6.0.1.1

Timeline

Apr 21, 2026 PoC Published
Apr 22, 2026 PoC Published
Apr 24, 2026 CVE Published
Apr 25, 2026 Security Advisory
Apr 29, 2026 CVE Updated
May 18, 2026 EPSS Score
May 18, 2026 Distribution Patch
May 18, 2026 Security Advisory
May 18, 2026 Distribution Patch
May 18, 2026 Security Advisory
May 18, 2026 Distribution Patch
May 18, 2026 Security Advisory

References

https://github.com/ruby/erb/security/advisories/GHSA-q339-8rmv-2mhv url

Open in Interactive Console →