Skip to main content

Erb

1 CVEs product

Monthly

CVE-2026-41316 Ruby HIGH PATCH GHSA This Week

Remote code execution in Ruby ERB library via unsafe deserialization allows unauthenticated attackers to execute arbitrary code by exploiting incomplete protection in Marshal.load workflows. While ERB 2.2.0+ added guards to prevent code execution during deserialization in result() and run() methods, the def_module(), def_method(), and def_class() methods remained unprotected, enabling attackers to bypass the @_init safeguard. Exploitation requires high complexity (AV:N/AC:H) as applications must deserialize untrusted Marshal data with ERB loaded. No EPSS or KEV data available; exploitation likelihood depends on prevalence of unsafe Marshal.load patterns in Ruby codebases.

Deserialization RCE Erb
NVD GitHub VulDB
CVSS 3.1
8.1
EPSS
0.1%
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Remote code execution in Ruby ERB library via unsafe deserialization allows unauthenticated attackers to execute arbitrary code by exploiting incomplete protection in Marshal.load workflows. While ERB 2.2.0+ added guards to prevent code execution during deserialization in result() and run() methods, the def_module(), def_method(), and def_class() methods remained unprotected, enabling attackers to bypass the @_init safeguard. Exploitation requires high complexity (AV:N/AC:H) as applications must deserialize untrusted Marshal data with ERB loaded. No EPSS or KEV data available; exploitation likelihood depends on prevalence of unsafe Marshal.load patterns in Ruby codebases.

Deserialization RCE Erb
NVD GitHub VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy