Search for packages
| purl | pkg:gem/alchemy_cms@8.0.3 |
| Next non-vulnerable version | None. |
| Latest non-vulnerable version | None. |
| Risk | 3.1 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-zw14-4911-h3ab
Aliases: CVE-2026-23885 GHSA-2762-657x-v979 |
AlchemyCMS: Authenticated Remote Code Execution (RCE) via eval injection in ResourcesHelper A vulnerability was discovered during a manual security audit of the AlchemyCMS source code. The application uses the Ruby `eval()` function to dynamically execute a string provided by the `resource_handler.engine_name` attribute in `Alchemy::ResourcesHelper#resource_url_proxy`. | There are no reported fixed by versions. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-zw14-4911-h3ab | AlchemyCMS: Authenticated Remote Code Execution (RCE) via eval injection in ResourcesHelper A vulnerability was discovered during a manual security audit of the AlchemyCMS source code. The application uses the Ruby `eval()` function to dynamically execute a string provided by the `resource_handler.engine_name` attribute in `Alchemy::ResourcesHelper#resource_url_proxy`. |
CVE-2026-23885
GHSA-2762-657x-v979 |
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2026-06-04T18:15:53.939917+00:00 | Ruby Importer | Fixing | VCID-zw14-4911-h3ab | https://github.com/rubysec/ruby-advisory-db/blob/master/gems/alchemy_cms/CVE-2026-23885.yml | 38.6.0 |
| 2026-06-04T18:15:53.464931+00:00 | Ruby Importer | Affected by | VCID-zw14-4911-h3ab | https://github.com/rubysec/ruby-advisory-db/blob/master/gems/alchemy_cms/CVE-2026-23885.yml | 38.6.0 |
| 2026-06-04T16:54:48.973454+00:00 | GithubOSV Importer | Fixing | VCID-zw14-4911-h3ab | https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-2762-657x-v979/GHSA-2762-657x-v979.json | 38.6.0 |
| 2026-06-02T04:49:38.972772+00:00 | GitLab Importer | Fixing | VCID-zw14-4911-h3ab | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/alchemy_cms/CVE-2026-23885.yml | 38.6.0 |