Description
Alchemy is an open source content management system engine written in Ruby on Rails. Prior to versions 7.4.12 and 8.0.3, the application uses the Ruby `eval()` function to dynamically execute a string provided by the `resource_handler.engine_name` attribute in `Alchemy::ResourcesHelper#resource_url_proxy`. The vulnerability exists in `app/helpers/alchemy/resources_helper.rb` at line 28. The code explicitly bypasses security linting with `# rubocop:disable Security/Eval`, indicating that the use of a dangerous function was known but not properly mitigated. Since `engine_name` is sourced from module definitions that can be influenced by administrative configurations, it allows an authenticated attacker to escape the Ruby sandbox and execute arbitrary system commands on the host OS. Versions 7.4.12 and 8.0.3 fix the issue by replacing `eval()` with `send()`.
Published: 2026-01-19
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Authenticated Remote Code Execution
Action: Patch Now
AI Analysis

Impact

The vulnerability originates from the use of Ruby's eval() function in AlchemyCMS's ResourcesHelper, which processes a string from the resource_handler.engine_name attribute without proper validation. An attacker who can authenticate with administrative privileges can supply malicious code through engine_name, enabling arbitrary system command execution. This flaw falls under the injection category of CWE-95, allowing attackers to compromise the host operating system and all data stored on it.

Affected Systems

Affected systems are the AlchemyCMS engine provided by AlchemyCMS. Versions prior to 7.4.12 and 8.0.3 contain the flaw. After applying the updates that replace eval() with the safer send() method, the vulnerability is remedied.

Risk and Exploitability

The CVSS score of 6.4 classifies the flaw as moderate severity, but the impact of remote code execution elevates its operational risk. The EPSS score of less than 1% indicates a low probability of widespread exploitation in the wild, and the flaw is not currently listed in the CISA KEV catalog. Nonetheless, only users who have administrative access to the CMS can trigger the vulnerability, so the attack surface is limited to authenticated privileged accounts. Effective patching and strict role separation are essential to mitigate the risk.

Generated by OpenCVE AI on April 18, 2026 at 04:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade AlchemyCMS to at least version 7.4.12 or 8.0.3 to replace eval() with send()
  • Verify that the resource_handler.engine_name attribute cannot be manipulated by non-administrative users or external input
  • Restrict administrative access and enforce least-privilege principles to prevent unauthorized use of the CMS's editor features

Generated by OpenCVE AI on April 18, 2026 at 04:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-2762-657x-v979 AlchemyCMS: Authenticated Remote Code Execution (RCE) via eval injection in ResourcesHelper
History

Thu, 09 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:alchemy-cms:alchemy_cms:*:*:*:*:*:*:*:*

Wed, 21 Jan 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 21 Jan 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.6, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Tue, 20 Jan 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Alchemy-cms
Alchemy-cms alchemy Cms
Vendors & Products Alchemy-cms
Alchemy-cms alchemy Cms

Mon, 19 Jan 2026 21:30:00 +0000

Type Values Removed Values Added
Description Alchemy is an open source content management system engine written in Ruby on Rails. Prior to versions 7.4.12 and 8.0.3, the application uses the Ruby `eval()` function to dynamically execute a string provided by the `resource_handler.engine_name` attribute in `Alchemy::ResourcesHelper#resource_url_proxy`. The vulnerability exists in `app/helpers/alchemy/resources_helper.rb` at line 28. The code explicitly bypasses security linting with `# rubocop:disable Security/Eval`, indicating that the use of a dangerous function was known but not properly mitigated. Since `engine_name` is sourced from module definitions that can be influenced by administrative configurations, it allows an authenticated attacker to escape the Ruby sandbox and execute arbitrary system commands on the host OS. Versions 7.4.12 and 8.0.3 fix the issue by replacing `eval()` with `send()`.
Title AlchemyCMS has Authenticated Remote Code Execution (RCE) via eval injection in ResourcesHelper
Weaknesses CWE-95
References
Metrics cvssV3_1

{'score': 6.6, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Alchemy-cms Alchemy Cms
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-21T21:12:51.110Z

Reserved: 2026-01-16T21:02:02.901Z

Link: CVE-2026-23885

cve-icon Vulnrichment

Updated: 2026-01-21T21:12:43.655Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-19T22:16:02.453

Modified: 2026-04-09T14:54:27.540

Link: CVE-2026-23885

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T05:00:06Z

Weaknesses