CVE-2026-41316

Name of the Vulnerable Software and Affected Versions ERB versions prior to 6.0.1.1 ERB versions prior to 6.0.4 ERB versions prior to 4.0.3.1 ERB versions prior to 4.0.4.1 Ruby versions prior to 4.0.3

Description A deserialization guard bypass exists in ERB involving the init variable. This issue occurs when an application calls the Marshal.load() function on untrusted input while both the erb and activesupport libraries are loaded. Attackers can evade the guard via def module, def method, or def class to achieve a deserialization bypass.

Recommendations Update ERB to version 6.0.1.1, 6.0.4, 4.0.3.1, or 4.0.4.1. Update Ruby to version 4.0.3. As a temporary workaround, avoid calling the Marshal.load() function on untrusted data.