Cyber Resilience

CVE-2026-23885

Medium

Published: 19 January 2026

Published
19 January 2026
Modified
09 April 2026
KEV Added
Patch
CVSS Score v3.1 6.4 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0043 34.0th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-23885 is a medium-severity Eval Injection (CWE-95) vulnerability in Alchemy-Cms Alchemy Cms. Its CVSS base score is 6.4 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Unix Shell (T1059.004); ranked at the 34.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-23885 is a code injection vulnerability (CWE-95) in Alchemy, an open-source Ruby on Rails content management system. It affects versions prior to 7.4.12 and 8.0.3, specifically in the `Alchemy::ResourcesHelper#resource_url_proxy` method within `app/helpers/alchemy/resources_helper.rb` at line 28. The flaw stems from the use of Ruby's `eval()` function to dynamically execute a string derived from the `resource_handler.engine_name` attribute, with the code explicitly bypassing security linting via `# rubocop:disable Security/Eval`. The `engine_name` value originates from module definitions that can be influenced by administrative configurations.

An authenticated attacker with high privileges can exploit this vulnerability by manipulating the `engine_name` through administrative configurations. This allows them to escape the Ruby sandbox and execute arbitrary system commands on the host operating system. The CVSS v3.1 base score of 6.4 (AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H) reflects the need for local access, high attack complexity, and high privileges required.

AlchemyCMS advisories and patches recommend upgrading to version 7.4.12 or 8.0.3, where the issue is fixed by replacing `eval()` with the safer `send()` method. Relevant GitHub commits include 55d03ec600fd9e07faae1138b923790028917d26 and 563c4ce45bf5813b7823bf3403ca1fc32cb769e7, with release tags at v7.4.12 and v8.0.3; further details are in the GHSA-2762-657x-v979 security advisory.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Alchemy is an open source content management system engine written in Ruby on Rails. Prior to versions 7.4.12 and 8.0.3, the application uses the Ruby `eval()` function to dynamically execute a string provided by the `resource_handler.engine_name` attribute in `Alchemy::ResourcesHelper#resource_url_proxy`. The…

more

vulnerability exists in `app/helpers/alchemy/resources_helper.rb` at line 28. The code explicitly bypasses security linting with `# rubocop:disable Security/Eval`, indicating that the use of a dangerous function was known but not properly mitigated. Since `engine_name` is sourced from module definitions that can be influenced by administrative configurations, it allows an authenticated attacker to escape the Ruby sandbox and execute arbitrary system commands on the host OS. Versions 7.4.12 and 8.0.3 fix the issue by replacing `eval()` with `send()`.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Code injection via unsafe eval() on admin-controlled input directly enables arbitrary Unix shell command execution on the host.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-44128Shared CWE-95
CVE-2026-33618Shared CWE-95
CVE-2013-10051Shared CWE-95
CVE-2025-8420Shared CWE-95
CVE-2026-35002Shared CWE-95
CVE-2026-29091Shared CWE-95
CVE-2026-31254Shared CWE-95
CVE-2026-48962Shared CWE-95
CVE-2026-4001Shared CWE-95
CVE-2024-10633Shared CWE-95

Affected Assets

alchemy-cms
alchemy cms
≤ 7.4.12 · 8.0.0 — 8.0.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly blocks unsafe engine_name values from module definitions before they reach eval() in resource_url_proxy.

prevent

Requires prompt application of the vendor patch that replaces eval() with send() in versions 7.4.12/8.0.3.

prevent

Restricts which privileged users can modify the administrative module definitions that supply the dangerous engine_name attribute.

References