Skip to main content

Alchemy Cms

2 CVEs product

Monthly

CVE-2026-23885 Ruby MEDIUM PATCH This Month

Arbitrary code execution in Alchemy CMS before versions 7.4.12 and 8.0.3 stems from unsafe use of Ruby's eval() function on the resource_handler.engine_name parameter in the ResourcesHelper class. An authenticated administrator can manipulate module configurations to inject and execute arbitrary system commands with the privileges of the Ruby process. The vulnerability requires high privileges and careful setup to exploit, but completely bypasses the Ruby sandbox once successful.

Code Injection RCE Alchemy Cms
NVD GitHub
CVSS 3.1
6.4
EPSS
0.0%
CVE-2018-18307 MEDIUM POC This Month

A Stored XSS vulnerability has been discovered in version 4.1.0 of AlchemyCMS via the /admin/pictures image field. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Alchemy Cms
NVD GitHub Exploit-DB
CVSS 3.0
6.1
EPSS
1.7%
EPSS 0% CVSS 6.4
MEDIUM PATCH This Month

Arbitrary code execution in Alchemy CMS before versions 7.4.12 and 8.0.3 stems from unsafe use of Ruby's eval() function on the resource_handler.engine_name parameter in the ResourcesHelper class. An authenticated administrator can manipulate module configurations to inject and execute arbitrary system commands with the privileges of the Ruby process. The vulnerability requires high privileges and careful setup to exploit, but completely bypasses the Ruby sandbox once successful.

Code Injection RCE Alchemy Cms
NVD GitHub
EPSS 2% CVSS 6.1
MEDIUM POC This Month

A Stored XSS vulnerability has been discovered in version 4.1.0 of AlchemyCMS via the /admin/pictures image field. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Alchemy Cms
NVD GitHub Exploit-DB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy