{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-41316", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-20T14:01:46.671Z", "datePublished": "2026-04-24T02:35:41.160Z", "dateUpdated": "2026-04-25T01:45:43.173Z"}, "containers": {"cna": {"title": "ERB has an @_init deserialization guard bypass via def_module / def_method / def_class", "problemTypes": [{"descriptions": [{"cweId": "CWE-693", "lang": "en", "description": "CWE-693: Protection Mechanism Failure", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/ruby/erb/security/advisories/GHSA-q339-8rmv-2mhv", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/ruby/erb/security/advisories/GHSA-q339-8rmv-2mhv"}], "affected": [{"vendor": "ruby", "product": "erb", "versions": [{"version": "< 4.0.3.1", "status": "affected"}, {"version": "= 4.0.4", "status": "affected"}, {"version": ">= 5.0.0, < 6.0.1.1", "status": "affected"}, {"version": ">= 6.0.2, < 6.0.4", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-24T02:35:41.160Z"}, "descriptions": [{"lang": "en", "value": "ERB is a templating system for Ruby. Ruby 2.7.0 (before ERB 2.2.0 was published on rubygems.org) introduced an `@_init` instance variable guard in `ERB#result` and `ERB#run` to prevent code execution when an ERB object is reconstructed via `Marshal.load` (deserialization). However, three other public methods that also evaluate `@src` via `eval()` were not given the same guard: `ERB#def_method`, `ERB#def_module`, and `ERB#def_class`. An attacker who can trigger `Marshal.load` on untrusted data in a Ruby application that has `erb` loaded can use `ERB#def_module` (zero-arg, default parameters) as a code execution sink, bypassing the `@_init` protection entirely. ERB 4.0.3.1, 4.0.4.1, 6.0.1.1, and 6.0.4 patch the issue."}], "source": {"advisory": "GHSA-q339-8rmv-2mhv", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-25T01:45:02.467085Z", "id": "CVE-2026-41316", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-25T01:45:43.173Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-41316", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-25T01:45:02.467085Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-25T01:45:39.369Z"}}], "cna": {"title": "ERB has an @_init deserialization guard bypass via def_module / def_method / def_class", "source": {"advisory": "GHSA-q339-8rmv-2mhv", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "ruby", "product": "erb", "versions": [{"status": "affected", "version": "< 4.0.3.1"}, {"status": "affected", "version": "= 4.0.4"}, {"status": "affected", "version": ">= 5.0.0, < 6.0.1.1"}, {"status": "affected", "version": ">= 6.0.2, < 6.0.4"}]}], "references": [{"url": "https://github.com/ruby/erb/security/advisories/GHSA-q339-8rmv-2mhv", "name": "https://github.com/ruby/erb/security/advisories/GHSA-q339-8rmv-2mhv", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "ERB is a templating system for Ruby. Ruby 2.7.0 (before ERB 2.2.0 was published on rubygems.org) introduced an `@_init` instance variable guard in `ERB#result` and `ERB#run` to prevent code execution when an ERB object is reconstructed via `Marshal.load` (deserialization). However, three other public methods that also evaluate `@src` via `eval()` were not given the same guard: `ERB#def_method`, `ERB#def_module`, and `ERB#def_class`. An attacker who can trigger `Marshal.load` on untrusted data in a Ruby application that has `erb` loaded can use `ERB#def_module` (zero-arg, default parameters) as a code execution sink, bypassing the `@_init` protection entirely. ERB 4.0.3.1, 4.0.4.1, 6.0.1.1, and 6.0.4 patch the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-693", "description": "CWE-693: Protection Mechanism Failure"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-24T02:35:41.160Z"}}}, "cveMetadata": {"cveId": "CVE-2026-41316", "state": "PUBLISHED", "dateUpdated": "2026-04-25T01:45:43.173Z", "dateReserved": "2026-04-20T14:01:46.671Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-24T02:35:41.160Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "ERB is a templating system for Ruby. Ruby 2.7.0 (before ERB 2.2.0 was published on rubygems.org) introduced an `@_init` instance variable guard in `ERB#result` and `ERB#run` to prevent code execution when an ERB object is reconstructed via `Marshal.load` (deserialization). However, three other public methods that also evaluate `@src` via `eval()` were not given the same guard: `ERB#def_method`, `ERB#def_module`, and `ERB#def_class`. An attacker who can trigger `Marshal.load` on untrusted data in a Ruby application that has `erb` loaded can use `ERB#def_module` (zero-arg, default parameters) as a code execution sink, bypassing the `@_init` protection entirely. ERB 4.0.3.1, 4.0.4.1, 6.0.1.1, and 6.0.4 patch the issue."}], "id": "CVE-2026-41316", "lastModified": "2026-04-24T14:50:56.203", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.9, "source": "[email protected]", "type": "Secondary"}]}, "published": "2026-04-24T03:16:11.897", "references": [{"source": "[email protected]", "url": "https://github.com/ruby/erb/security/advisories/GHSA-q339-8rmv-2mhv"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-693"}], "source": "[email protected]", "type": "Primary"}]}

{"bugzilla": {"description": "erb: ERB: Arbitrary code execution via deserialization bypass", "id": "2461369", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2461369"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.1", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-502", "details": ["A flaw was found in ERB, a templating system for Ruby. An attacker who can trigger deserialization of untrusted data in a Ruby application can bypass existing protections. This vulnerability allows for arbitrary code execution by exploiting specific public methods that evaluate template source code, which were not properly guarded against deserialization attacks."], "name": "CVE-2026-41316", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "ruby4.0", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/a:redhat:hummingbird:1", "fix_state": "Not affected", "package_name": "ruby3.3", "product_name": "Red Hat Hardened Images"}, {"cpe": "cpe:/a:redhat:hummingbird:1", "fix_state": "Not affected", "package_name": "ruby3.4", "product_name": "Red Hat Hardened Images"}, {"cpe": "cpe:/a:redhat:hummingbird:1", "fix_state": "Not affected", "package_name": "ruby4.0", "product_name": "Red Hat Hardened Images"}], "public_date": "2026-04-24T02:35:41Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-41316\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-41316\nhttps://github.com/ruby/erb/security/advisories/GHSA-q339-8rmv-2mhv"], "threat_severity": "Important"}