CVE-2026-41316

HIGH 8.1

ERB has an @_init deserialization guard bypass via def_module / def_method / def_class

CVSS Score

8.1

EPSS Score

0.0%

EPSS Percentile

0th

ERB is a templating system for Ruby. Ruby 2.7.0 (before ERB 2.2.0 was published on rubygems.org) introduced an `@_init` instance variable guard in `ERB#result` and `ERB#run` to prevent code execution when an ERB object is reconstructed via `Marshal.load` (deserialization). However, three other public methods that also evaluate `@src` via `eval()` were not given the same guard: `ERB#def_method`, `ERB#def_module`, and `ERB#def_class`. An attacker who can trigger `Marshal.load` on untrusted data in a Ruby application that has `erb` loaded can use `ERB#def_module` (zero-arg, default parameters) as a code execution sink, bypassing the `@_init` protection entirely. ERB 4.0.3.1, 4.0.4.1, 6.0.1.1, and 6.0.4 patch the issue.

CWE	CWE-693
Vendor	ruby
Product	erb
Ecosystems	Ruby
Industries	Technology
Published	Apr 24, 2026

Stay Ahead of the Next One

Get instant alerts for ruby erb

Be the first to know when new high vulnerabilities affecting ruby erb are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Affected Versions

ruby / erb

< 4.0.3.1 = 4.0.4 >= 5.0.0, < 6.0.1.1 >= 6.0.2, < 6.0.4

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/ruby/erb/security/advisories/GHSA-q339-8rmv-2mhv