Search for packages
| purl | pkg:gem/alchemy_cms@6.0.14 |
| Next non-vulnerable version | None. |
| Latest non-vulnerable version | None. |
| Risk | 3.1 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-zw14-4911-h3ab
Aliases: CVE-2026-23885 GHSA-2762-657x-v979 |
AlchemyCMS: Authenticated Remote Code Execution (RCE) via eval injection in ResourcesHelper A vulnerability was discovered during a manual security audit of the AlchemyCMS source code. The application uses the Ruby `eval()` function to dynamically execute a string provided by the `resource_handler.engine_name` attribute in `Alchemy::ResourcesHelper#resource_url_proxy`. |
Affected by 1 other vulnerability. Affected by 1 other vulnerability. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2026-06-06T06:43:22.236549+00:00 | GitLab Importer | Affected by | VCID-zw14-4911-h3ab | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/alchemy_cms/CVE-2026-23885.yml | 38.6.0 |
| 2026-06-04T18:15:53.242888+00:00 | Ruby Importer | Affected by | VCID-zw14-4911-h3ab | https://github.com/rubysec/ruby-advisory-db/blob/master/gems/alchemy_cms/CVE-2026-23885.yml | 38.6.0 |