High severity8.1NVD Advisory· Published Apr 24, 2026· Updated Apr 29, 2026

CVE-2026-41316

Description

ERB is a templating system for Ruby. Ruby 2.7.0 (before ERB 2.2.0 was published on rubygems.org) introduced an @_init instance variable guard in ERB#result and ERB#run to prevent code execution when an ERB object is reconstructed via Marshal.load (deserialization). However, three other public methods that also evaluate @src via eval() were not given the same guard: ERB#def_method, ERB#def_module, and ERB#def_class. An attacker who can trigger Marshal.load on untrusted data in a Ruby application that has erb loaded can use ERB#def_module (zero-arg, default parameters) as a code execution sink, bypassing the @_init protection entirely. ERB 4.0.3.1, 4.0.4.1, 6.0.1.1, and 6.0.4 patch the issue.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
erbRubyGems	< 4.0.3.1	4.0.3.1
erbRubyGems	>= 4.0.4, < 4.0.4.1	4.0.4.1
erbRubyGems	>= 5.0.0, < 6.0.1.1	6.0.1.1
erbRubyGems	>= 6.0.2, < 6.0.4	6.0.4

Affected products

RubyGems/Erbinferred
Range: <2.2.0
Package: https://rubygems.org/gems/erb

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-q339-8rmv-2mhvghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2026-41316ghsaADVISORY
github.com/ruby/erb/security/advisories/GHSA-q339-8rmv-2mhvnvdWEB

News mentions

No linked articles in our index yet.

cvss	0.526
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000