Changeflow GovPing Data Privacy & Cybersecurity Ruby ERB Vulnerability Allows Remote Code Execu...
Urgent Guidance Added Final

Ruby ERB Vulnerability Allows Remote Code Execution

Favicon for www.csirt.gov.it Italy CSIRT Advisories
Published
Detected
Email

Summary

CSIRT-ITA issued Alert AL06/260423/CSIRT-ITA regarding CVE-2026-41316, a remote code execution vulnerability in Ruby's ERB templating library affecting erb gem version 6.0.3 and earlier. The vulnerability allows remote attackers to execute arbitrary code on target systems through maliciously crafted template input. The system impact rating is classified as High (66.41). Users are advised to update to patched versions following the vendor security bulletin at ruby-lang.org.

“Tale vulnerabilità, qualora sfruttata, potrebbe consentire a un utente malintenzionato remoto di eseguire codice arbitrario sui sistemi target.”

Why this matters

Technology companies and development teams using Ruby's erb gem in any production or internet-facing application should prioritize patching to version 6.0.3 or later immediately — this is a remote code execution vulnerability with no compensating controls mentioned, and the High impact rating (66.41) signals active exploitation potential. The CVSS-style metric suggests this is likely being tracked as a critical or high-severity flaw by the vendor.

AI-drafted from the source document, validated against GovPing's analyst note standards . For the primary regulatory language, read the source document .
Published by CSIRT-ITA on acn.gov.it . Detected, standardized, and enriched by GovPing. Review our methodology and editorial standards .

About this source

GovPing monitors Italy CSIRT Advisories for new data privacy & cybersecurity regulatory changes. Every update since tracking began is archived, classified, and available as free RSS or email alerts — 15 changes logged to date.

View original document View source feed page

What changed

CSIRT-ITA published a security advisory (AL06/260423/CSIRT-ITA) alerting to CVE-2026-41316, a remote code execution vulnerability in Ruby's ERB (Embedded Ruby) templating library. The vulnerability affects erb gem version 6.0.3 and all prior versions, allowing a remote attacker to execute arbitrary code on target systems by injecting malicious code through ERB template tags (<% %> and <%= %>).

Organizations running applications that use the erb gem should treat this as a high-priority patching event. The CVSS-based system impact rating of 66.41 (High) combined with the remote attack vector and arbitrary code execution capability means affected systems face significant risk of compromise if left unpatched. Security teams should identify applications using the vulnerable erb library, apply vendor-supplied patches immediately, and monitor for indicators of exploitation attempts.

Archived snapshot

Apr 25, 2026

GovPing captured this document from the original source. If the source has since changed or been removed, this is the text as it existed at that time.

Aggiornamenti di sicurezza per Ruby

**
Alert**

AL06/260423/CSIRT-ITA

Condividi
- Facebook
- Twitter
- LinkedIn
- Whatsapp

Sintesi

Rilevata vulnerabilità che interessa “ erb”, libreria di Ruby che permette di generare testo dinamico inserendo codice Ruby all’interno di template (di solito HTML) tramite tag speciali come <% %> e <%= %>. Tale vulnerabilità, qualora sfruttata, potrebbe consentire a un utente malintenzionato remoto di eseguire codice arbitrario sui sistemi target.

Tipologia

Remote Code Execution

Prodotti e versioni affette

erb gem, versione 6.0.3 e precedenti

Azioni di mitigazione

In linea con le dichiarazioni del vendor, si raccomanda di aggiornare le versioni vulnerabili seguendo le indicazioni del bollettino di sicurezza riportato nella sezione Riferimenti.

CVE (1)

Cerca:
| CVE | POC | EXPLOITATION |
| --- | --- | --- |
| CVE-2026-41316 | - | - |

Riferimenti (1)

  1. https://www.ruby-lang.org/en/news/2026/04/21/erb-cve-2026-41316/

Change log

Versione Note Data
1.0 Pubblicato il 23-04-2026 23/04/2026

Impatto sistemico

Alto (66.41)

Argomenti

Data pubblicazione

23/04/26 ore 16:27

Data Ultimo Aggiornamento

23/04/26 ore 16:27

Related changes

Favicon for www.acn.gov.it Ruby ERB Remote Code Execution Vulnerability CVE-2026-41316
Priority review Apr 23, 2026 Italy ACN News alt Data Privacy & Cybersecurity
Favicon for wid.cert-bund.de Atlassian Bamboo Data Center Vulnerability Allows Remote Code Execution
Priority review Mar 20, 2026 CERT-Bund Security Advisories Data Privacy & Cybersecurity
Favicon for wid.cert-bund.de Adobe Acrobat Reader Remote Code Execution Vulnerability CVE-2026-1047
Urgent Apr 10, 2026 CERT-Bund Security Advisories Data Privacy & Cybersecurity

Get daily alerts for Italy CSIRT Advisories

Daily digest delivered to your inbox.

Free. Unsubscribe anytime.

Source

Favicon for www.csirt.gov.it
Italy CSIRT Advisories csirt.gov.it/contenuti
Data Privacy & Cybersecurity

About this page

What is GovPing?

Every important government, regulator, and court update from around the world. One place. Real-time. Free. Our mission

What's from the agency?

Source document text, dates, docket IDs, and authority are extracted directly from CSIRT-ITA.

What's AI-generated?

The summary, classification, recommended actions, deadlines, and penalty information are AI-generated from the original text and may contain errors. Always verify against the source document.

Last updated

Press inquiries →

Classification

Agency
CSIRT-ITA
Published
April 23rd, 2026
Instrument
Guidance
Branch
Executive
Source language
it
Legal weight
Non-binding
Stage
Final
Change scope
Substantive

Who this affects

Applies to
Technology companies
Industry sector
5112 Software & Technology
Activity scope
Vulnerability disclosure Patch management
Geographic scope
IT IT

Taxonomy

Primary area
Cybersecurity
Operational domain
IT Security
Compliance frameworks
NIST CSF
Topics
Software & Technology

Browse Categories

Agriculture & Food Safety 84 AI Regulation 3 Banking & Finance 500 Consumer Protection 141 Courts & Legal 635 Data Privacy & Cybersecurity 150 Defense & National Security 52 Education 64 Energy 138 Environment 170 Gaming 2 Government & Legislation 524 Healthcare 15 Healthcare & Life Sciences 402 Immigration 11 Insurance 90 Labor & Employment 193 Pharma & Drug Safety 21 Professional Licensing 6 Real Estate & Housing 76 Securities & Markets 175 Tax 117 Telecom & Technology 56 Trade & Sanctions 169 Transportation 130

Get alerts for this source

We'll email you when Italy CSIRT Advisories publishes new changes.

Free. Unsubscribe anytime.

You're subscribed!