top of page
perceptive_background_267k.jpg

ERB is a templating system for Ruby. Ruby 2.7.0 (before ERB 2.2.0 was published on rubygems.org) introduced an `@_init` instance variable guard in `ERB#result` …

Published:

23 April 2026 at 22:00:00

Alert date:

24 April 2026 at 04:01:58

Source:

nvd.nist.gov

Click to open the original link from this advisory

Web Technologies, Supply Chain & Dependencies

ERB, a templating system for Ruby, contains a deserialization vulnerability that allows remote code execution. The vulnerability exists in three public methods (ERB#def_method, ERB#def_module, ERB#def_class) that bypass @_init protection when ERB objects are reconstructed via Marshal.load. Attackers can exploit ERB#def_module to achieve code execution on Ruby applications with erb loaded when processing untrusted data. The vulnerability affects Ruby 2.7.0+ before ERB 2.2.0 and is patched in ERB versions 4.0.3.1, 4.0.4.1, 6.0.1.1, and 6.0.4.

Technical details

Mitigation steps:

Affected products:

ERB
Ruby

Related links:

https://nvd.nist.gov/vuln/detail/CVE-2026-41316
https://github.com/ruby/erb/security/advisories/GHSA-q339-8rmv-2mhv

Related CVE's:

Related threat actors:

IOC's:

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page