CNNVD-202601-2979 Information
CNNVD ID
CNNVD-202601-2979
Related CVE
- CNNVD Published: 2026-01-19
Description (Chinese)
AlchemyCMS是AlchemyCMS - A Rails CMS Framework开源的一个内容管理系统。 AlchemyCMS 7.4.12之前版本和8.0.3之前版本存在安全漏洞,该漏洞源于在Alchemy::ResourcesHelper#resource_url_proxy中使用Ruby eval函数动态执行由resource_handler.engine_name属性提供的字符串,可能导致经过身份验证的攻击者逃逸Ruby沙箱并在主机操作系统上执行任意系统命令。
Description (English)
AlchemyCMS is an open-source content management system for AlchemyCMS-A Railways CMS Framework. A security loophole existed in previous versions of AlchemyCMS 7.4.12 and before version 8.3, which arose out of the use of the Ruby eval function dynamically in Alchemy::ResourcesHelper#resource url proxy to execute a string provided by the attributes of the Resource handler.engine name, which could lead to the escape of an identified assailant from the Ruby sandbox and the execution of arbitrary system orders on the mainframe operating system.
Hazard Level
High
Vulnerability Type
其他
Affected Vendor
AlchemyCMS - A Rails CMS Framework
Published
2026-01-19
Last Modified
2026-02-24
References
https://github.com/AlchemyCMS/alchemy_cms/commit/55d03ec600fd9e07faae1138b923790028917d26 https://github.com/AlchemyCMS/alchemy_cms/releases/tag/v7.4.12 https://github.com/AlchemyCMS/alchemy_cms/commit/563c4ce45bf5813b7823bf3403ca1fc32cb769e7 https://github.com/AlchemyCMS/alchemy_cms/releases/tag/v8.0.3 https://github.com/AlchemyCMS/alchemy_cms/security/advisories/GHSA-2762-657x-v979 https://access.redhat.com/security/cve/cve-2026-23885
Patch
https://github.com/AlchemyCMS/alchemy_cms/releases
Share on: