CVE-2026-23885
unknown
CVSS v3
โ
CVSS v4 NEW
โ
VIR risk
โ
Description
AlchemyCMS: Authenticated Remote Code Execution (RCE) via eval injection in ResourcesHelper
Predictions
Exploit likelihood
20%
Patch ETA
โ
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| RubyGems | alchemy_cms | <~> 7.4.12 | ~> 7.4.12 |
| RubyGems | alchemy_cms | <7.4.12 | 7.4.12 |
| RubyGems | alchemy_cms | >=8.0.0.a,<8.0.3 | 8.0.3 |
References
- https://github.com/AlchemyCMS/alchemy_cms/security/advisories/GHSA-2762-657x-v979
- https://nvd.nist.gov/vuln/detail/CVE-2026-23885
- https://github.com/AlchemyCMS/alchemy_cms/commit/55d03ec600fd9e07faae1138b923790028917d26
- https://github.com/AlchemyCMS/alchemy_cms/commit/563c4ce45bf5813b7823bf3403ca1fc32cb769e7
- https://github.com/AlchemyCMS/alchemy_cms
- https://github.com/AlchemyCMS/alchemy_cms/releases/tag/v7.4.12
- https://github.com/AlchemyCMS/alchemy_cms/releases/tag/v8.0.3
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/alchemy_cms/CVE-2026-23885.yml
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.