CVE-2026-23885 AlchemyCMS has Authenticated Remote Code Execution (RCE) via eval injection in ResourcesHelper

Alchemy is an open source content management system engine written in Ruby on Rails. Prior to versions 7.4.12 and 8.0.3, the application uses the Ruby eval function to dynamically execute a string provided by the resourcehandler.enginename attribute in Alchemy::ResourcesHelperresourceurlproxy. Th...

CVE-2026-23885

Alchemy is an open source content management system engine written in Ruby on Rails. Prior to versions 7.4.12 and 8.0.3, the application uses the Ruby eval function to dynamically execute a string provided by the resourcehandler.enginename attribute in Alchemy::ResourcesHelperresourceurlproxy. Th...

CLSA-2026-1768839607 ruby: Fix of 2 CVEs

CVE-2025-61594: fix incomplete fix for CVE-2025-27221 which allowed credential leaks to persist in URI+ - fully redact x-oauth-basic tokens from tests - update URI specs to reflect that modifying user or host clears credentials...

CLSA-2026-1768814484 ruby: Fix of CVE-2025-58767

CVE-2025-58767: fixed REXML to reject duplicate XML declarations and validate declaration attributes to protect from DoS...

MiracleLinux 7 : rh-ruby26-ruby-2.6.9-120.el7 (AXSA:2022-3091:01)

The remote MiracleLinux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2022-3091:01 advisory. rubygem-bundler: Dependencies of gems with explicit source may be installed from a different source CVE-2020-36327 rubygem-rdoc: Command injection...

MiracleLinux 3 : ruby-1.8.5-22.1.0.1.AXS3 (AXSA:2012-99:1)

The remote MiracleLinux 3 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2012-99:1 advisory. Ruby is the interpreted scripting language for quick and easy object-oriented programming. It has many features to process text files and to do system...

MiracleLinux 4 : ruby-1.8.7.352-3.0.1.AXS4 (AXSA:2012-54:01)

The remote MiracleLinux 4 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2012-54:01 advisory. Ruby is the interpreted scripting language for quick and easy object-oriented programming. It has many features to process text files and to do system...

PT-2026-3507

Name of the Vulnerable Software and Affected Versions Alchemy versions prior to 7.4.12 Alchemy versions prior to 8.0.3 Description Alchemy, a Ruby on Rails content management system, allows an authenticated attacker to execute arbitrary system commands on the host operating system. The applicatio...

MiracleLinux 3 : ruby-1.8.5-5.1 (AXSA:2007-63:01)

The remote MiracleLinux 3 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2007-63:01 advisory. Ruby is the interpreted scripting language for quick and easy object-oriented programming. It has many features to process text files and to do system...

MiracleLinux 3 : ruby-1.8.5-5.5 (AXSA:2008-471:02)

The remote MiracleLinux 3 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2008-471:02 advisory. Ruby is the interpreted scripting language for quick and easy object-oriented programming. It has many features to process text files and to do syste...

MiracleLinux 3 : ruby-1.8.5-31.AXS3 (AXSA:2013-560:03)

The remote MiracleLinux 3 host has packages installed that are affected by a vulnerability as referenced in the AXSA:2013-560:03 advisory. Ruby is the interpreted scripting language for quick and easy object-oriented programming. It has many features to process text files and to do system...

MiracleLinux 3 : ruby-1.8.5-27.AXS3 (AXSA:2013-43:01)

The remote MiracleLinux 3 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2013-43:01 advisory. Ruby is the interpreted scripting language for quick and easy object-oriented programming. It has many features to process text files and to do system...

MiracleLinux 3 : ruby-1.8.5-29.AXS3 (AXSA:2013-269:02)

The remote MiracleLinux 3 host has packages installed that are affected by a vulnerability as referenced in the AXSA:2013-269:02 advisory. Ruby is the interpreted scripting language for quick and easy object-oriented programming. It has many features to process text files and to do system...

MiracleLinux 4 : ruby-1.8.7.352-10.AXS4 (AXSA:2013-281:01)

The remote MiracleLinux 4 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2013-281:01 advisory. Ruby is the interpreted scripting language for quick and easy object-oriented programming. It has many features to process text files and to do syste...

MiracleLinux 7 : ruby-2.0.0.648-36.el7 (AXSA:2019-4276:03)

The remote MiracleLinux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2019-4276:03 advisory. ruby: HTTP response splitting in WEBrick CVE-2017-17742 ruby: DoS by large request in WEBrick CVE-2018-8777 ruby: Buffer under-read in Stringunpack...

MiracleLinux 4 : ruby-1.8.7.352-12.AXS4 (AXSA:2013-564:02)

The remote MiracleLinux 4 host has packages installed that are affected by a vulnerability as referenced in the AXSA:2013-564:02 advisory. Ruby is the interpreted scripting language for quick and easy object-oriented programming. It has many features to process text files and to do system...

MiracleLinux 4 : ruby-1.8.7.352-13.AXS4 (AXSA:2014-036:01)

The remote MiracleLinux 4 host has packages installed that are affected by a vulnerability as referenced in the AXSA:2014-036:01 advisory. Ruby is the interpreted scripting language for quick and easy object-oriented programming. It has many features to process text files and to do system...

MiracleLinux 7 : ruby-2.0.0.648-34.0.1.el7.AXS7 (AXSA:2019-3740:01)

The remote MiracleLinux 7 host has packages installed that are affected by a vulnerability as referenced in the AXSA:2019-3740:01 advisory. ruby: OpenSSL::X509::Name equality check does not work correctly CVE-2018-16395 Tenable has extracted the preceding description block directly from the...

ActiveRecord-JDBC-Adapter (AR-JDBC) lib/arjdbc/jdbc/adapter.rb sql.gsub() Function SQL Injection

ActiveRecord-JDBC-Adapter AR-JDBC contains a flaw that may allow carrying out an SQL injection attack. The issue is due to the sql.gsub function in lib/arjdbc/jdbc/adapter.rb not properly sanitizing user-supplied input before using it in SQL queries. This may allow a remote attacker to inject or...

MiracleLinux 7 : rh-ruby25-ruby-2.5.3-6.el7 (AXSA:2019-3613:01)

The remote MiracleLinux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2019-3613:01 advisory. ruby: OpenSSL::X509::Name equality check does not work correctly CVE-2018-16395 ruby: HTTP response splitting in WEBrick CVE-2017-17742 ruby: DoS by...