We published security advisory for CVE-2026-41316.

Ruby is a dynamic, object-oriented programming language known for its simplicity and elegance, offering a productive and enjoyable development experience for software engineers. Developers can learn about Ruby programming fundamentals, web development with Ruby on Rails, and building scalable and maintainable applications with Ruby's expressive syntax and rich ecosystem of libraries and frameworks.

Ruby

A deserialization vulnerability (CVE-2026-41316) has been disclosed in the Ruby ERB gem. The flaw allows attackers to bypass the @_init guard that normally prevents code execution during Marshal.load deserialization, by invoking ERB#def_method, ERB#def_module, or ERB#def_class — which evaluate template source without checking the guard. Any Ruby application calling Marshal.load on untrusted data with both erb and activesupport loaded is vulnerable to arbitrary code execution, including all Ruby on Rails applications. The fix is to upgrade the erb gem to version 4.0.3.1, 4.0.4.1, 6.0.1.1, 6.0.4 or later. Versions 6.0.3 and below are affected.

CVE-2026-41316: ERB @_init deserialization guard bypass via def_module / def_method / def_class