Search for packages
| purl | pkg:gem/alchemy_cms@3.4.0.rc1 |
| Next non-vulnerable version | None. |
| Latest non-vulnerable version | None. |
| Risk | 3.1 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-2bug-1cu2-d7dx
Aliases: CVE-2018-18307 GHSA-7mj4-2984-955f |
Withdrawn Advisory: AlchemyCMS is vulnerable to stored XSS via the /admin/pictures image field ## Withdrawn Advisory This advisory has been withdrawn because it does not describe a vulnerability. The maintainer states the following: > The researcher used an authorized cookie to perform the request to a password-protected route. Without that session cookie, the request would have been rejected as unauthorized. ## Original Description A Stored XSS vulnerability has been discovered in version 4.1.0 of AlchemyCMS via the /admin/pictures image field. | There are no reported fixed by versions. |
|
VCID-zw14-4911-h3ab
Aliases: CVE-2026-23885 GHSA-2762-657x-v979 |
AlchemyCMS: Authenticated Remote Code Execution (RCE) via eval injection in ResourcesHelper A vulnerability was discovered during a manual security audit of the AlchemyCMS source code. The application uses the Ruby `eval()` function to dynamically execute a string provided by the `resource_handler.engine_name` attribute in `Alchemy::ResourcesHelper#resource_url_proxy`. |
Affected by 1 other vulnerability. Affected by 1 other vulnerability. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2026-06-04T18:15:52.971098+00:00 | Ruby Importer | Affected by | VCID-zw14-4911-h3ab | https://github.com/rubysec/ruby-advisory-db/blob/master/gems/alchemy_cms/CVE-2026-23885.yml | 38.6.0 |
| 2026-06-04T18:13:27.942668+00:00 | Ruby Importer | Affected by | VCID-2bug-1cu2-d7dx | https://github.com/rubysec/ruby-advisory-db/blob/master/gems/alchemy_cms/CVE-2018-18307.yml | 38.6.0 |