PT-2026-33982 · Ruby+2 · Ruby+3

Published

2026-04-21

·

Updated

2026-06-08

·

CVE-2026-41316

CVSS v3.1

8.1

High

VectorAV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions ERB versions prior to 6.0.1.1 ERB versions prior to 6.0.4 ERB versions prior to 4.0.3.1 ERB versions prior to 4.0.4.1 Ruby versions prior to 4.0.3
Description A deserialization guard bypass exists in ERB involving the init variable. This issue occurs when an application calls the Marshal.load() function on untrusted input while both the erb and activesupport libraries are loaded. Attackers can evade the guard via def module, def method, or def class to achieve a deserialization bypass.
Recommendations Update ERB to version 6.0.1.1, 6.0.4, 4.0.3.1, or 4.0.4.1. Update Ruby to version 4.0.3. As a temporary workaround, avoid calling the Marshal.load() function on untrusted data.

Exploit

Fix

RCE

Protection Mechanism Failure

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-693

Related Identifiers

ALSA-2026:18030
ALSA-2026:18039
ALSA-2026:18065
ALSA-2026:20596
ALSA-2026:20606
ALSA-2026:20614
CVE-2026-41316
ECHO-F356-2B11-6F16
GHSA-Q339-8RMV-2MHV
OESA-2026-2263
OPENSUSE-SU-2026:10609-1
RHSA-2026:18030
RHSA-2026:18039
RHSA-2026:18065
RHSA-2026:20614
RHSA-2026:20670

Affected Products

Active Support
Erb
Rocky Linux
Ruby