CVE-2026-23885
Arbitrary Code Execution via Eval in Alchemy CMS Resource Helper
Publication date: 2026-01-19
Last updated on: 2026-04-09
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| alchemy-cms | alchemy_cms | to 7.4.12 (exc) |
| alchemy-cms | alchemy_cms | From 8.0.0 (inc) to 8.0.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-95 | The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. "eval"). |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Alchemy content management system where the Ruby eval() function is used to execute a string from the resource_handler.engine_name attribute. Because engine_name can be influenced by administrative configurations, an authenticated attacker can exploit this to execute arbitrary system commands on the host operating system. The issue is due to unsafe use of eval() which bypasses security linting, allowing escape from the Ruby sandbox.
How can this vulnerability impact me? :
An attacker with administrative access can execute arbitrary system commands on the host OS, potentially leading to full system compromise, data loss, or unauthorized control over the server running Alchemy.
What immediate steps should I take to mitigate this vulnerability?
Upgrade Alchemy to version 7.4.12 or 8.0.3 or later, as these versions replace the vulnerable use of Ruby eval() with a safer send() method, thereby mitigating the vulnerability.