Updated advisory posts against rubysec/ruby-advisory-db@e4d63d4

jasnow · RubySec CI · commit 35bcf7532068 · 2026-01-31T06:43:27.000Z
diff --git a/advisories/_posts/2026-01-21-CVE-2026-23885.md b/advisories/_posts/2026-01-21-CVE-2026-23885.md
@@ -0,0 +1,53 @@
+---
+layout: advisory
+title: 'CVE-2026-23885 (alchemy_cms): AlchemyCMS - Authenticated Remote Code Execution
+  (RCE) via eval injection in ResourcesHelper'
+comments: false
+categories:
+- alchemy_cms
+advisory:
+  gem: alchemy_cms
+  cve: 2026-23885
+  ghsa: 2762-657x-v979
+  url: https://github.com/AlchemyCMS/alchemy_cms/security/advisories/GHSA-2762-657x-v979
+  title: AlchemyCMS - Authenticated Remote Code Execution (RCE) via eval injection
+    in ResourcesHelper
+  date: 2026-01-21
+  description: |
+    ### Summary
+
+    A vulnerability was discovered during a manual security audit
+    of the AlchemyCMS source code. The application uses the Ruby
+    `eval()` function to dynamically execute a string provided by the
+    `resource_handler.engine_name` attribute in
+    `Alchemy::ResourcesHelper#resource_url_proxy`.
+
+    ### Details
+
+    The vulnerability exists in `app/helpers/alchemy/resources_helper.rb`
+    at line 28. The code explicitly bypasses security linting with
+    `# rubocop:disable Security/Eval`, indicating that the use of a
+    dangerous function was known but not properly mitigated.
+
+    Since `engine_name` is sourced from module definitions that can be
+    influenced by administrative configurations, it allows an authenticated
+    attacker to escape the Ruby sandbox and execute arbitrary system
+    commands on the host OS.
+
+    But, for this attack to be possible local file access to the alchemy
+    project or the source on a remote server is necessary in order to
+    manipulate the module config file, though.
+  cvss_v3: 6.6
+  patched_versions:
+  - "~> 7.4.12"
+  - ">= 8.0.3"
+  related:
+    url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2026-23885
+    - https://github.com/AlchemyCMS/alchemy_cms/security/advisories/GHSA-2762-657x-v979
+    - https://github.com/AlchemyCMS/alchemy_cms/commit/55d03ec600fd9e07faae1138b923790028917d26
+    - https://github.com/AlchemyCMS/alchemy_cms/commit/563c4ce45bf5813b7823bf3403ca1fc32cb769e7
+    - https://github.com/AlchemyCMS/alchemy_cms/releases/tag/v7.4.12
+    - https://github.com/AlchemyCMS/alchemy_cms/releases/tag/v8.0.3
+    - https://github.com/advisories/GHSA-2762-657x-v979
+---
