CVE-2026-23885

Name of the Vulnerable Software and Affected Versions Alchemy versions prior to 7.4.12 Alchemy versions prior to 8.0.3

Description Alchemy, a Ruby on Rails content management system, allows an authenticated attacker to execute arbitrary system commands on the host operating system. The application utilizes the Ruby eval() function to dynamically execute a string sourced from the resource handler.engine name attribute within the Alchemy::ResourcesHelper#resource url proxy method, located in app/helpers/alchemy/resources helper.rb at line 28. The use of eval() bypasses security linting, and the engine name attribute is influenced by administrative configurations, enabling the execution of arbitrary code.

Recommendations Update to Alchemy version 7.4.12 or later. Update to Alchemy version 8.0.3 or later.