2430 matches found
PT-2026-4539
Dioxus Components is a shadcn-style component library for the Dioxus app framework. Prior to commit 41e4242ecb1062d04ae42a5215363c1d9fd4e23a, use animated open formats a string for eval with an id that can be user supplied. Commit 41e4242ecb1062d04ae42a5215363c1d9fd4e23a patches the issue...
AlchemyCMS: Authenticated Remote Code Execution (RCE) via eval injection in ResourcesHelper
Summary A vulnerability was discovered during a manual security audit of the AlchemyCMS source code. The application uses the Ruby eval function to dynamically execute a string provided by the resourcehandler.enginename attribute in Alchemy::ResourcesHelperresourceurlproxy. Details The...
GHSA-2762-657X-V979 AlchemyCMS: Authenticated Remote Code Execution (RCE) via eval injection in ResourcesHelper
Summary A vulnerability was discovered during a manual security audit of the AlchemyCMS source code. The application uses the Ruby eval function to dynamically execute a string provided by the resourcehandler.enginename attribute in Alchemy::ResourcesHelperresourceurlproxy. Details The...
CVE-2026-23885
Alchemy is an open source content management system engine written in Ruby on Rails. Prior to versions 7.4.12 and 8.0.3, the application uses the Ruby eval function to dynamically execute a string provided by the resourcehandler.enginename attribute in Alchemy::ResourcesHelperresourceurlproxy. Th...
MiracleLinux 8 : python27:2.7 (AXSA:2021-2829:01)
The remote MiracleLinux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2021-2829:01 advisory. python: Unsafe use of eval on data retrieved via HTTP in the test suite CVE-2020-27619 python-jinja2: ReDoS vulnerability in the urlize filter...
MiracleLinux 8 : python3-3.6.8-37.el8 (AXSA:2021-2061:02)
The remote MiracleLinux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2021-2061:02 advisory. python: CRLF injection via HTTP request method in httplib/http.client CVE-2020-26116 python: Unsafe use of eval on data retrieved via HTTP in the te...
CVE-2026-23885
Alchemy is an open source content management system engine written in Ruby on Rails. Prior to versions 7.4.12 and 8.0.3, the application uses the Ruby eval function to dynamically execute a string provided by the resourcehandler.enginename attribute in Alchemy::ResourcesHelperresourceurlproxy. Th...
Eval Injection
Overview Affected versions of this package are vulnerable to Eval Injection via the resourceurlproxy function. An attacker can execute arbitrary system commands by supplying crafted input to the enginename attribute, which is evaluated within the application context. PoC require 'ostruct' def...
CVE-2026-23885 AlchemyCMS has Authenticated Remote Code Execution (RCE) via eval injection in ResourcesHelper
Alchemy is an open source content management system engine written in Ruby on Rails. Prior to versions 7.4.12 and 8.0.3, the application uses the Ruby eval function to dynamically execute a string provided by the resourcehandler.enginename attribute in Alchemy::ResourcesHelperresourceurlproxy. Th...
EUVD-2026-3281
Alchemy is an open source content management system engine written in Ruby on Rails. Prior to versions 7.4.12 and 8.0.3, the application uses the Ruby eval function to dynamically execute a string provided by the resourcehandler.enginename attribute in Alchemy::ResourcesHelperresourceurlproxy. Th...
CVE-2026-23885
CVE-2026-23885 – AlchemyCMS RCE via eval in ResourcesHelper . The vulnerability affects AlchemyCMS (Ruby on Rails) prior to 7.4.12 and 8.0.3, where the code in Alchemy::ResourcesHelper#resource_url_proxy uses Ruby’s eval() on the value of resource_handler.engine_name. This string is sourced from ...
CVE-2026-23885 AlchemyCMS has Authenticated Remote Code Execution (RCE) via eval injection in ResourcesHelper
Alchemy is an open source content management system engine written in Ruby on Rails. Prior to versions 7.4.12 and 8.0.3, the application uses the Ruby eval function to dynamically execute a string provided by the resourcehandler.enginename attribute in Alchemy::ResourcesHelperresourceurlproxy. Th...
CVE-2026-23885 AlchemyCMS has Authenticated Remote Code Execution (RCE) via eval injection in ResourcesHelper
Alchemy is an open source content management system engine written in Ruby on Rails. Prior to versions 7.4.12 and 8.0.3, the application uses the Ruby eval function to dynamically execute a string provided by the resourcehandler.enginename attribute in Alchemy::ResourcesHelperresourceurlproxy. Th...
CVE-2026-23885
Alchemy is an open source content management system engine written in Ruby on Rails. Prior to versions 7.4.12 and 8.0.3, the application uses the Ruby eval function to dynamically execute a string provided by the resourcehandler.enginename attribute in Alchemy::ResourcesHelperresourceurlproxy. Th...
PT-2026-3507
Name of the Vulnerable Software and Affected Versions Alchemy versions prior to 7.4.12 Alchemy versions prior to 8.0.3 Description Alchemy, a Ruby on Rails content management system, allows an authenticated attacker to execute arbitrary system commands on the host operating system. The applicatio...
Unity Linux 20.1060e / 20.1070e Security Update: kernel (UTSA-2026-003765)
The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-003765 advisory. In arch/x86/lib/insn-eval.c in the Linux kernel before 5.1.9, there is a use-after-free for access to an LDT entry because of a race condition between modifyldt and ...
openc3-api Vulnerable to Unauthenticated Remote Code Execution
Summary OpenC3 COSMOS contains a critical remote code execution vulnerability reachable through the JSON-RPC API. When a JSON-RPC request uses the string form of certain APIs, attacker-controlled parameter text is parsed into values using Stringconverttovalue. For array-like inputs, converttovalu...
Eval Injection
Overview Affected versions of this package are vulnerable to Eval Injection via the converttovalue function. An unauthenticated attacker can execute arbitrary code by sending specially crafted JSON-RPC requests containing malicious parameter text, which is evaluated through eval when processed as...
CVE-2025-68271 Unauthenticated Remote Code Execution in openc3-api
OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems. From 5.0.0 to 6.10.1, OpenC3 COSMOS contains a critical remote code execution vulnerability reachable through the JSON-RPC API. When a JSON-RPC request uses the string form of...
openc3-api Vulnerable to Unauthenticated Remote Code Execution
Summary OpenC3 COSMOS contains a critical remote code execution vulnerability reachable through the JSON-RPC API. When a JSON-RPC request uses the string form of certain APIs, attacker-controlled parameter text is parsed into values using Stringconverttovalue. For array-like inputs, converttovalu...