Home / Vulnerability Intelligence / CVE-2026-41316

CVE-2026-41316 - Vulnerability Analysis

HighCVSS: 8.1

Last Updated: April 24, 2026

Ruby ERB - Remote Code Execution

Published: April 24, 2026Updated: April 24, 2026Remote Exploitable

Overview

Ruby ERB before 4.0.3.1, 4.0.4.1, 6.0.1.1, and 6.0.4 contains a remote code execution caused by missing instance variable guard in ERB#def_module during deserialization, letting attackers execute arbitrary code via Marshal.load on untrusted data, exploit requires ability to trigger Marshal.load on untrusted data.

Severity & Score

Severity: High

CVSS Score: 8.1

EPSS Score: 0.0%(Probability of exploitation in next 30 days)

Impact

Attackers can execute arbitrary code remotely by exploiting deserialization in ERB, potentially leading to full system compromise.

Mitigation

Update to ERB versions 4.0.3.1, 4.0.4.1, 6.0.1.1, 6.0.4 or later.

References

https://github.com/ruby/erb/security/advisories/GHSA-q339-8rmv-2mhv

Social Media Activity(1 post)

Fernando Briano

@picandocodigo

Apr 21, 2026

Ruby 4.0.3 Released This release only contains ERB 6.0.1.1, which fixes CVE-2026-41316. https://www.ruby-lang.org/en/news/2026/04/21/ruby-4-0-3-released/ #Ruby

View original post

Related Resources

Details

CVE ID: CVE-2026-41316
Severity: High
CVSS Score: 8.1
Type: insecure_deserialization
Status: new
EPSS: 0.0%
Social Posts: 1

CWE

CWE-693

CVSS Metrics

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score

0.0%Probability of exploitation in the next 30 days