CVE-2026-23885

EPSS 0.43%
Veröffentlicht 19.01.2026 21:09:06
Zuletzt bearbeitet 09.04.2026 14:54:27
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

AlchemyCMS has Authenticated Remote Code Execution (RCE) via eval injection in ResourcesHelper

Alchemy is an open source content management system engine written in Ruby on Rails. Prior to versions 7.4.12 and 8.0.3, the application uses the Ruby `eval()` function to dynamically execute a string provided by the `resource_handler.engine_name` attribute in `Alchemy::ResourcesHelper#resource_url_proxy`. The vulnerability exists in `app/helpers/alchemy/resources_helper.rb` at line 28. The code explicitly bypasses security linting with `# rubocop:disable Security/Eval`, indicating that the use of a dangerous function was known but not properly mitigated. Since `engine_name` is sourced from module definitions that can be influenced by administrative configurations, it allows an authenticated attacker to escape the Ruby sandbox and execute arbitrary system commands on the host OS. Versions 7.4.12 and 8.0.3 fix the issue by replacing `eval()` with `send()`.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 8

NVD 2 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Alchemy-cms ≫ Alchemy Cms Version < 7.4.12

Alchemy-cms ≫ Alchemy Cms Version >= 8.0.0 < 8.0.3

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.43%	0.339

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.9	3.1	6	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
security-advisories@github.com	6.4	0.5	5.9	CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE-95 Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. "eval").

https://github.com/AlchemyCMS/alchemy_cms/security/advisories/GHSA-2762-657x-v979

Vendor Advisory

https://github.com/AlchemyCMS/alchemy_cms/commit/55d03ec600fd9e07faae1138b923790028917d26

Patch

https://github.com/AlchemyCMS/alchemy_cms/commit/563c4ce45bf5813b7823bf3403ca1fc32cb769e7

Patch

https://github.com/AlchemyCMS/alchemy_cms/releases/tag/v7.4.12

Release Notes

https://github.com/AlchemyCMS/alchemy_cms/releases/tag/v8.0.3

Release Notes

https://nvd.nist.gov/vuln/detail/CVE-2026-23885

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-23885

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-23885

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-23885