Ruby 4.0.3 fixes a serious ERB deserialization issue (CVE-2026-41316).

by Giménez Silva Germán Alberto — Today

ERB#def_method, def_module, def_class bypass the @_init guard → RCE via Marshal.load.

Rails apps are especially exposed.

Upgrade now.

RubyFlow The Ruby and Rails community linklog