Skip to main content

Alchemy Cms CVE-2026-23885

MEDIUM
Eval Injection (CWE-95)
2026-01-19 security-advisories@github.com GHSA-2762-657x-v979
6.4
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.4 MEDIUM
AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
High
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 12, 2026 - 21:54 vuln.today
CVE Published
Jan 19, 2026 - 22:16 nvd
MEDIUM 6.4

DescriptionGitHub Advisory

Alchemy is an open source content management system engine written in Ruby on Rails. Prior to versions 7.4.12 and 8.0.3, the application uses the Ruby eval() function to dynamically execute a string provided by the resource_handler.engine_name attribute in Alchemy::ResourcesHelper#resource_url_proxy. The vulnerability exists in app/helpers/alchemy/resources_helper.rb at line 28. The code explicitly bypasses security linting with `

rubocop:disable Security/Eval, indicating that the use of a dangerous function was known but not properly mitigated. Since engine_name is sourced from module definitions that can be influenced by administrative configurations, it allows an authenticated attacker to escape the Ruby sandbox and execute arbitrary system commands on the host OS. Versions 7.4.12 and 8.0.3 fix the issue by replacing eval() with send()`.

AnalysisAI

Arbitrary code execution in Alchemy CMS before versions 7.4.12 and 8.0.3 stems from unsafe use of Ruby's eval() function on the resource_handler.engine_name parameter in the ResourcesHelper class. An authenticated administrator can manipulate module configurations to inject and execute arbitrary system commands with the privileges of the Ruby process. The vulnerability requires high privileges and careful setup to exploit, but completely bypasses the Ruby sandbox once successful.

Technical ContextAI

This vulnerability (CWE-95: Eval Injection) affects Alchemy is an open source content management system engine written in Ruby on Rails.. Alchemy is an open source content management system engine written in Ruby on Rails. Prior to versions 7.4.12 and 8.0.3, the application uses the Ruby eval() function to dynamically execute a string provided by the resource_handler.engine_name attribute in Alchemy::ResourcesHelper#resource_url_proxy. The vulnerability exists in app/helpers/alchemy/resources_helper.rb at line 28. The code explicitly bypasses security linting with `

rubocop:disable Security/Eval`, indicating that the use

RemediationAI

Monitor vendor advisories for a patch.

Share

CVE-2026-23885 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy