GHSA-2762-657X-V979 AlchemyCMS: Authenticated Remote Code Execution (RCE) via eval injection in ResourcesHelper

Summary A vulnerability was discovered during a manual security audit of the AlchemyCMS source code. The application uses the Ruby eval function to dynamically execute a string provided by the resourcehandler.enginename attribute in Alchemy::ResourcesHelperresourceurlproxy. Details The...

AlchemyCMS - Authenticated Remote Code Execution (RCE) via eval injection in ResourcesHelper

Summary A vulnerability was discovered during a manual security audit of the AlchemyCMS source code. The application uses the Ruby eval function to dynamically execute a string provided by the resourcehandler.enginename attribute in Alchemy::ResourcesHelperresourceurlproxy. Details The...

CVE-2026-23885 AlchemyCMS has Authenticated Remote Code Execution (RCE) via eval injection in ResourcesHelper

Alchemy is an open source content management system engine written in Ruby on Rails. Prior to versions 7.4.12 and 8.0.3, the application uses the Ruby eval function to dynamically execute a string provided by the resourcehandler.enginename attribute in Alchemy::ResourcesHelperresourceurlproxy. Th...

CVE-2026-23885

CVE-2026-23885 – AlchemyCMS RCE via eval in ResourcesHelper . The vulnerability affects AlchemyCMS (Ruby on Rails) prior to 7.4.12 and 8.0.3, where the code in Alchemy::ResourcesHelper#resource_url_proxy uses Ruby’s eval() on the value of resource_handler.engine_name. This string is sourced from ...

CVE-2026-23885 AlchemyCMS has Authenticated Remote Code Execution (RCE) via eval injection in ResourcesHelper

Alchemy is an open source content management system engine written in Ruby on Rails. Prior to versions 7.4.12 and 8.0.3, the application uses the Ruby eval function to dynamically execute a string provided by the resourcehandler.enginename attribute in Alchemy::ResourcesHelperresourceurlproxy. Th...

AlchemyCMS security vulnerabilities

AlchemyCMS is an open-source content management system based on the AlchemyCMS – a Rails CMS framework. Vulnerabilities existed in versions prior to 7.4.12 and 8.0.3 of AlchemyCMS. These vulnerabilities stemmed from the use of the Ruby eval function in Alchemy::ResourcesHelperresourceurlproxy,...

Withdrawn Advisory: AlchemyCMS is vulnerable to stored XSS via the /admin/pictures image field

Withdrawn Advisory This advisory has been withdrawn because it does not describe a vulnerability. The maintainer states the following: The researcher used an authorized cookie to perform the request to a password-protected route. Without that session cookie, the request would have been rejected a...

GHSA-7MJ4-2984-955F Withdrawn Advisory: AlchemyCMS is vulnerable to stored XSS via the /admin/pictures image field

Withdrawn Advisory This advisory has been withdrawn because it does not describe a vulnerability. The maintainer states the following: The researcher used an authorized cookie to perform the request to a password-protected route. Without that session cookie, the request would have been rejected a...

AlchemyCMS is vulnerable to stored XSS via the /admin/pictures image field

A stored XSS vulnerability has been discovered in version 4.1.0 of AlchemyCMS via the /admin/pictures image filename field...

CVE-2018-18307

A Stored XSS vulnerability has been discovered in version 4.1.0 of AlchemyCMS via the /admin/pictures image field. NOTE: the vendor's position is that this is not a valid report: "The researcher used an authorized cookie to perform the request to a password-protected route. Without that session...

CVE-2018-18307

A Stored XSS vulnerability has been discovered in version 4.1.0 of AlchemyCMS via the /admin/pictures image field. NOTE: the vendor's position is that this is not a valid report: "The researcher used an authorized cookie to perform the request to a password-protected route. Without that session...

Cross site scripting

DISPUTED A Stored XSS vulnerability has been discovered in version 4.1.0 of AlchemyCMS via the /admin/pictures image field. NOTE: the vendor's position is that this is not a valid report: "The researcher used an authorized cookie to perform the request to a password-protected route. Without that...

PT-2018-14397 · Alchemycms · Alchemycms

Name of the Vulnerable Software and Affected Versions: AlchemyCMS version 4.1.0 Description: A Stored XSS issue has been found in AlchemyCMS via the "/admin/pictures" image field. The vendor disputes the validity of this report, stating that the researcher used an authorized cookie to access a...

CVE-2018-18307

AlchemyCMS 4.1.0 is vulnerable to a Stored XSS via the /admin/pictures image field. The issue is caused by improper handling of user input in that field (SNYK cites improper input sanitization). The vendor disputes the report, stating the request relied on an authorized session cookie; without it...

CVE-2018-18307

A Stored XSS vulnerability has been discovered in version 4.1.0 of AlchemyCMS via the /admin/pictures image field. NOTE: the vendor's position is that this is not a valid report: "The researcher used an authorized cookie to perform the request to a password-protected route. Without that session...

AlchemyCMS 4.1 - Cross-Site Scripting

Exploit Title: AlchemyCMS 4.1 - Cross-Site Scripting Date: 2018-10-14 Exploit Author: Ismail Tasdelen Vendor Homepage: https://alchemy-cms.com/ Software Link : https://github.com/AlchemyCMS/alchemycms Software : AlchemyCMS Version : 4.1-stable Vulernability Type : Cross-site Scripting Vulenrabili...

AlchemyCMS 4.1 - Cross-Site Scripting

AlchemyCMS 4.1 - Cross-Site Scripting Exploit Title: AlchemyCMS 4.1 - Cross-Site Scripting Date: 2018-10-14 Exploit Author: Ismail Tasdelen Vendor Homepage: https://alchemy-cms.com/ Software Link : https://github.com/AlchemyCMS/alchemycms Software : AlchemyCMS Version : 4.1-stable Vulernability...

AlchemyCMS 4.1 - Cross-Site Scripting Vulnerability

Exploit for php platform in category web applications...

Alchemy CMS 4.1-Stable Cross Site Scripting

Exploit Title: AlchemyCMS 4.1-stable - Cross-Site Scripting Date: 2018-10-14 Exploit Author: Ismail Tasdelen Vendor Homepage: https://alchemy-cms.com/ Software Link : https://github.com/AlchemyCMS/alchemycms Software : AlchemyCMS Version : 4.1-stable Vulernability Type : Cross-site Scripting...