CVE-2026-23885 is a medium severity vulnerability classified under CWE-95 (Improper Neutralization of Directives in Dynamically Evaluated Code, or Eval Injection) affecting AlchemyCMS, an open-source Ruby on Rails content management system. The vulnerability exists in versions prior to 7.4.12 and between 8.0.0.a and 8.0.3 due to the use of Ruby's eval() function in the method Alchemy::ResourcesHelper#resource_url_proxy, specifically at line 28 in app/helpers/alchemy/resources_helper.rb. The eval() function is used to dynamically execute code derived from the resource_handler.engine_name attribute, which is influenced by module definitions that can be configured by administrators. Although the code disables RuboCop security linting warnings for eval, no proper sanitization or validation is applied. This allows an authenticated attacker with administrative privileges to escape the Ruby sandbox and execute arbitrary system commands on the host operating system, potentially leading to full system compromise. The vulnerability does not require user interaction but does require high privilege authentication. The issue is resolved in versions 7.4.12 and 8.0.3 by replacing eval() with the safer send() method, which avoids executing arbitrary code strings. There are no known exploits in the wild at the time of publication, but the potential impact is significant given the ability to execute arbitrary commands. The CVSS v3.1 score is 6.4, reflecting medium severity with high impact on confidentiality, integrity, and availability, but limited by the requirement for high privileges and local access.

For European organizations using affected versions of AlchemyCMS, this vulnerability poses a significant risk of system compromise. An attacker with administrative access can execute arbitrary commands on the server hosting the CMS, potentially leading to data theft, unauthorized data modification, service disruption, or use of the compromised system as a pivot point for further attacks within the network. Given AlchemyCMS’s role in managing web content, exploitation could also result in defacement, injection of malicious content, or disruption of public-facing services. The requirement for authenticated high-privilege access reduces the risk from external attackers but elevates the threat from insider threats or compromised administrative accounts. Organizations in sectors with strict data protection regulations, such as finance, healthcare, and government, face increased compliance risks and potential reputational damage if exploited. The medium severity rating suggests that while the vulnerability is serious, it is not trivially exploitable by unauthenticated or low-privilege users, somewhat limiting its impact scope.

European organizations should immediately upgrade AlchemyCMS installations to version 7.4.12 or 8.0.3 or later, where the eval() usage has been replaced with the safer send() method. Until upgrades are applied, restrict administrative access to trusted personnel and enforce strong authentication mechanisms such as multi-factor authentication to reduce the risk of credential compromise. Conduct thorough audits of administrative configurations and module definitions to detect any unauthorized or suspicious changes to resource_handler.engine_name or related attributes. Implement strict role-based access controls to minimize the number of users with high privileges capable of influencing these configurations. Monitor system and application logs for unusual command execution patterns or unexpected behavior indicative of exploitation attempts. Additionally, consider deploying application-level security controls such as Web Application Firewalls (WAFs) with custom rules to detect and block suspicious payloads targeting this vulnerability. Finally, maintain regular backups and incident response plans to quickly recover from potential compromises.