{
  "affected": [
    {
      "ranges": [
        {
          "database_specific": {
            "extracted_events": [
              {
                "introduced": "0"
              },
              {
                "fixed": "4.0.3.1"
              },
              {
                "introduced": "5.0.0"
              },
              {
                "fixed": "6.0.1.1"
              },
              {
                "introduced": "6.0.2"
              },
              {
                "fixed": "6.0.4"
              },
              {
                "introduced": "= 4.0.4"
              },
              {
                "last_affected": "= 4.0.4"
              }
            ],
            "source": "AFFECTED_FIELD"
          },
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "b6be29fd0e0f5089447d2f8d18140ae78258621d"
            },
            {
              "introduced": "08b544cdb898b7479f500480bafc1876d19f8bba"
            },
            {
              "fixed": "93450765b5319cfb552a3d9719df137e8fbb75e9"
            },
            {
              "introduced": "8626c822ea8009008fb5884cfc949cbcafbe9680"
            },
            {
              "fixed": "4d2b45e140044f464794c0463d838d5cb4bba96c"
            },
            {
              "introduced": "b68bfed6a8aee5e1732d108718560babe1e8a275"
            }
          ],
          "repo": "https://github.com/ruby/erb",
          "type": "GIT"
        }
      ],
      "versions": [
        "= 4.0.4"
      ]
    }
  ],
  "aliases": [
    "GHSA-q339-8rmv-2mhv"
  ],
  "database_specific": {
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
      "CWE-693"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/41xxx/CVE-2026-41316.json"
  },
  "details": "ERB is a templating system for Ruby. Ruby 2.7.0 (before ERB 2.2.0 was published on rubygems.org) introduced an `@_init` instance variable guard in `ERB#result` and `ERB#run` to prevent code execution when an ERB object is reconstructed via `Marshal.load` (deserialization). However, three other public methods that also evaluate `@src` via `eval()` were not given the same guard: `ERB#def_method`, `ERB#def_module`, and `ERB#def_class`. An attacker who can trigger `Marshal.load` on untrusted data in a Ruby application that has `erb` loaded can use `ERB#def_module` (zero-arg, default parameters) as a code execution sink, bypassing the `@_init` protection entirely. ERB 4.0.3.1, 4.0.4.1, 6.0.1.1, and 6.0.4 patch the issue.",
  "id": "CVE-2026-41316",
  "modified": "2026-07-11T03:54:03.625875246Z",
  "published": "2026-04-24T02:35:41.160Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-41316.json"
    },
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2026:18030"
    },
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2026:18039"
    },
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2026:18065"
    },
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2026:20596"
    },
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2026:20606"
    },
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2026:20614"
    },
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2026:20670"
    },
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2026:26312"
    },
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2026:26655"
    },
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2026:33462"
    },
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2026:33478"
    },
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2026:35834"
    },
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2026:37238"
    },
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/security/cve/CVE-2026-41316"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/41xxx/CVE-2026-41316.json"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/ruby/erb/security/advisories/GHSA-q339-8rmv-2mhv"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41316"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2461369"
    }
  ],
  "schema_version": "1.7.5",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "ERB has an @_init deserialization guard bypass via def_module / def_method / def_class"
}