Ruby erb gem Critical Code Execution Vulnerability, CVSS 9.8
Summary
CERT-Bund has issued a critical security advisory (WID-SEC-2026-1187) for a code execution vulnerability in the Ruby erb gem and Ruby on Rails. The flaw affects versions below 4.0.3.1, 4.0.4.1, 6.0.1.1, and 6.0.4 across multiple Ruby release branches. A remote, anonymous attacker can exploit this vulnerability to bypass security mechanisms and execute arbitrary code on affected systems. A mitigation is available as of the advisory date.
Organizations with Ruby or Ruby on Rails deployments should verify erb gem versions across all environments — production, staging, development, and CI/CD pipelines. The CVSS 9.8 score and remote exploitability make this a priority patch for any internet-facing application built on these frameworks. Given that mitigation is marked available, patching should proceed according to standard vulnerability management SLAs rather than waiting for further guidance.
What changed
CERT-Bund published a security advisory documenting a critical vulnerability (CVE referenced) in Ruby's erb gem affecting both the Ruby interpreter and Ruby on Rails framework. The vulnerability allows a remote, unauthenticated attacker to bypass security measures and execute arbitrary code. Multiple version branches are affected: 4.0.x, 4.0.4.x, 6.0.1.x, and 6.0.x lines below the specified patch thresholds. Mitigation is available and organizations should verify their installed versions.
Organizations running Ruby or Ruby on Rails in production or development environments should immediately inventory their erb gem versions and apply available patches. Development and DevOps teams should audit Gemfiles and dependency lock files for vulnerable versions. Security teams may wish to flag this advisory for application security review given the CVSS 9.8 severity and remote exploitability.
Archived snapshot
Apr 21, 2026GovPing captured this document from the original source. If the source has since changed or been removed, this is the text as it existed at that time.
[WID-SEC-2026-1187] Ruby und Ruby on Rails (erb gem): Schwachstelle ermöglicht Codeausführung CVSS Base Score 9.8 (kritisch) CVSS Temporal Score 8.5 (hoch) Remoteangriff ja Datum 20.04.2026 Stand 21.04.2026 Mitigation ja
Betroffene Systeme
Betriebssystem
- Sonstiges
- UNIX
- Windows
Produktbeschreibung
Ruby ist eine interpretierte, objektorientierte Skriptsprache.
Ruby on Rails ist ein in der Programmiersprache Ruby geschriebenes und quelloffenes Web Application Framework.
Produkte
20.04.2026
- Open Source Ruby erb gem <4.0.3.1
Open Source Ruby erb gem <4.0.4.1
Open Source Ruby erb gem <6.0.1.1
Open Source Ruby erb gem <6.0.4
Open Source Ruby on Rails erb gem <4.0.3.1
Open Source Ruby on Rails erb gem <4.0.4.1
Open Source Ruby on Rails erb gem <6.0.1.1
Open Source Ruby on Rails erb gem <6.0.4
Angriff
Angriff
Ein entfernter, anonymer Angreifer kann eine Schwachstelle in Ruby und Ruby on Rails ausnutzen, um Sicherheitsmaßnahmen zu umgehen und so beliebigen Code auszuführen. CVE Informationen Versionshistorie Feedback zum Advisory geben
Related changes
Get daily alerts for CERT-Bund Security Advisories
Daily digest delivered to your inbox.
Free. Unsubscribe anytime.
Source
About this page
Every important government, regulator, and court update from around the world. One place. Real-time. Free. Our mission
Source document text, dates, docket IDs, and authority are extracted directly from CERT-Bund.
The summary, classification, recommended actions, deadlines, and penalty information are AI-generated from the original text and may contain errors. Always verify against the source document.
Classification
Who this affects
Taxonomy
Browse Categories
Get alerts for this source
We'll email you when CERT-Bund Security Advisories publishes new changes.
Subscribed!
Optional. Filters your digest to exactly the updates that matter to you.