Cyber Posture

CVE-2026-23885

Medium

Published: 19 January 2026

Published
19 January 2026
Modified
09 April 2026
KEV Added
Patch
CVSS Score 6.4 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0002 6.0th percentile
Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-23885 is a medium-severity Eval Injection (CWE-95) vulnerability in Alchemy-Cms Alchemy Cms. Its CVSS base score is 6.4 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Unix Shell (T1059.004); ranked at the 6.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

Threat & Defense at a Glance

What attackers do: exploitation maps to Unix Shell (T1059.004).
Threat & Defense Details

MITRE ATT&CK Enterprise TechniquesAI

T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
attack.mitre.org →
Why these techniques?

Code injection via unsafe eval() on admin-controlled input directly enables arbitrary Unix shell command execution on the host.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Alchemy is an open source content management system engine written in Ruby on Rails. Prior to versions 7.4.12 and 8.0.3, the application uses the Ruby `eval()` function to dynamically execute a string provided by the `resource_handler.engine_name` attribute in `Alchemy::ResourcesHelper#resource_url_proxy`. The…

more

vulnerability exists in `app/helpers/alchemy/resources_helper.rb` at line 28. The code explicitly bypasses security linting with `# rubocop:disable Security/Eval`, indicating that the use of a dangerous function was known but not properly mitigated. Since `engine_name` is sourced from module definitions that can be influenced by administrative configurations, it allows an authenticated attacker to escape the Ruby sandbox and execute arbitrary system commands on the host OS. Versions 7.4.12 and 8.0.3 fix the issue by replacing `eval()` with `send()`.

Deeper analysisAI

CVE-2026-23885 is a code injection vulnerability (CWE-95) in Alchemy, an open-source Ruby on Rails content management system. It affects versions prior to 7.4.12 and 8.0.3, specifically in the `Alchemy::ResourcesHelper#resource_url_proxy` method within `app/helpers/alchemy/resources_helper.rb` at line 28. The flaw stems from the use of Ruby's `eval()` function to dynamically execute a string derived from the `resource_handler.engine_name` attribute, with the code explicitly bypassing security linting via `# rubocop:disable Security/Eval`. The `engine_name` value originates from module definitions that can be influenced by administrative configurations.

An authenticated attacker with high privileges can exploit this vulnerability by manipulating the `engine_name` through administrative configurations. This allows them to escape the Ruby sandbox and execute arbitrary system commands on the host operating system. The CVSS v3.1 base score of 6.4 (AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H) reflects the need for local access, high attack complexity, and high privileges required.

AlchemyCMS advisories and patches recommend upgrading to version 7.4.12 or 8.0.3, where the issue is fixed by replacing `eval()` with the safer `send()` method. Relevant GitHub commits include 55d03ec600fd9e07faae1138b923790028917d26 and 563c4ce45bf5813b7823bf3403ca1fc32cb769e7, with release tags at v7.4.12 and v8.0.3; further details are in the GHSA-2762-657x-v979 security advisory.

Details

CWE(s)
CWE-95

Affected Products

alchemy-cms
alchemy cms
≤ 7.4.12 · 8.0.0 — 8.0.3

CVEs Like This One

CVE-2025-68271Shared CWE-95
CVE-2026-4851Shared CWE-95
CVE-2026-4001Shared CWE-95
CVE-2024-10633Shared CWE-95
CVE-2025-0868Shared CWE-95
CVE-2026-35002Shared CWE-95
CVE-2026-29091Shared CWE-95
CVE-2025-40943Shared CWE-95
CVE-2026-1470Shared CWE-95
CVE-2026-33618Shared CWE-95

References