CVE-2026-23885: AlchemyCMS: Authenticated Remote Code Execution (RCE) via eval injection in ResourcesHelper
(updated )
A vulnerability was discovered during a manual security audit of the AlchemyCMS source code. The application uses the Ruby eval() function to dynamically execute a string provided by the resource_handler.engine_name attribute in Alchemy::ResourcesHelper#resource_url_proxy.
References
- github.com/AlchemyCMS/alchemy_cms
- github.com/AlchemyCMS/alchemy_cms/commit/55d03ec600fd9e07faae1138b923790028917d26
- github.com/AlchemyCMS/alchemy_cms/commit/563c4ce45bf5813b7823bf3403ca1fc32cb769e7
- github.com/AlchemyCMS/alchemy_cms/releases/tag/v7.4.12
- github.com/AlchemyCMS/alchemy_cms/releases/tag/v8.0.3
- github.com/AlchemyCMS/alchemy_cms/security/advisories/GHSA-2762-657x-v979
- github.com/advisories/GHSA-2762-657x-v979
- github.com/rubysec/ruby-advisory-db/blob/master/gems/alchemy_cms/CVE-2026-23885.yml
- nvd.nist.gov/vuln/detail/CVE-2026-23885
Code Behaviors & Features
Detect and mitigate CVE-2026-23885 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →