CVE-2026-41316

ERB is a templating system for Ruby. Ruby 2.7.0 (before ERB 2.2.0 was published on rubygems.org) introduced an `@_init` instance variable guard in `ERB#result` and `ERB#run` to prevent code execution when an ERB object is reconstructed via `Marshal.load` (deserialization). However, three other public methods that also evaluate `@src` via `eval()` were not given the same guard: `ERB#def_method`, `ERB#def_module`, and `ERB#def_class`. An attacker who can trigger `Marshal.load` on untrusted data in a Ruby application that has `erb` loaded can use `ERB#def_module` (zero-arg, default parameters) as a code execution sink, bypassing the `@_init` protection entirely. ERB 4.0.3.1, 4.0.4.1, 6.0.1.1, and 6.0.4 patch the issue.

CVSS v3 8.1 HIGH

8.1^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.2 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/ruby/erb/security/advisories/GHSA-q339-8rmv-2mhv
https://access.redhat.com/errata/RHSA-2026:18030
https://access.redhat.com/errata/RHSA-2026:18039
https://access.redhat.com/errata/RHSA-2026:18065
https://access.redhat.com/errata/RHSA-2026:20596
https://access.redhat.com/errata/RHSA-2026:20606
https://access.redhat.com/errata/RHSA-2026:20614
https://access.redhat.com/errata/RHSA-2026:20670
https://access.redhat.com/errata/RHSA-2026:26312
https://access.redhat.com/errata/RHSA-2026:26655
https://access.redhat.com/security/cve/CVE-2026-41316
https://bugzilla.redhat.com/show_bug.cgi?id=2461369
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-41316.json

Configurations

No configuration.

History

30 Jun 2026, 03:19

Type	Values Removed	Values Added
CWE		CWE-502
References		() https://access.redhat.com/errata/RHSA-2026:18030 - () https://access.redhat.com/errata/RHSA-2026:18039 - () https://access.redhat.com/errata/RHSA-2026:18065 - () https://access.redhat.com/errata/RHSA-2026:20596 - () https://access.redhat.com/errata/RHSA-2026:20606 - () https://access.redhat.com/errata/RHSA-2026:20614 - () https://access.redhat.com/errata/RHSA-2026:20670 - () https://access.redhat.com/errata/RHSA-2026:26312 - () https://access.redhat.com/errata/RHSA-2026:26655 - () https://access.redhat.com/security/cve/CVE-2026-41316 - () https://bugzilla.redhat.com/show_bug.cgi?id=2461369 - () https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-41316.json -

24 Apr 2026, 03:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-04-24 03:16

Updated : 2026-06-30 03:19

NVD link : CVE-2026-41316

Mitre link : CVE-2026-41316

CVE.ORG link : CVE-2026-41316

JSON object : View

Products Affected

No product.

CWE

CWE-693

Protection Mechanism Failure

CWE-502

Deserialization of Untrusted Data

8.1 /10