April 21, 2026

Scan to try

🎯 Live Demo Available

Introducing

MapView

Render beautiful, production-ready maps directly from your Ruby backend. No external APIs. No dependencies. Just pure speed and control.

✓

Zero external dependencies

✓

Lightning-fast rendering

✓

Production-ready & battle-tested

Try the Live Demo → Read Docs

April 21, 2026 Ruby 4.0.3 has been released with a critical security fix for a deserialization vulnerability in ERB that could lead to arbitrary code execution.

The Issue (CVE-2026-41316)

A flaw in ERB allows code execution when objects are reconstructed via Marshal.load on untrusted data.

ERB includes an @_init guard to prevent this but three methods bypass it:

• ERB#def_method
• ERB#def_module
• ERB#def_class

These can evaluate template code without the guard, making them usable in deserialization attack chains.

Who Is Affected?

Any application that:

• uses Marshal.load on untrusted data
• loads both ERB and ActiveSupport

This includes most Ruby on Rails apps, especially if Marshal is used for:

• caching
• sessions (legacy apps)
• IPC or data import

What To Do

• Upgrade to a patched ERB version: 6.0.1.1+ (recommended via Ruby 4.0.3)
• Avoid Marshal.load with untrusted input
• Prefer safer formats like JSON

Summary

This is a classic unsafe deserialization issue with a practical exploit path in common Ruby stacks.

If your app uses Marshal.load, you should treat this as urgent.