SCA: security update for alchemy_cms (GHSA-2762-657x-v979)

critical Tenable Self-Hosted Container Security Plugin ID 436865

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Alchemy is an open source content management system engine written in Ruby on Rails. Prior to versions
7.4.12 and 8.0.3, the application uses the Ruby `eval()` function to dynamically execute a string provided
by the `resource_handler.engine_name` attribute in `Alchemy::ResourcesHelper#resource_url_proxy`. The
vulnerability exists in `app/helpers/alchemy/resources_helper.rb` at line 28. The code explicitly bypasses
security linting with `# rubocop:disable Security/Eval`, indicating that the use of a dangerous function
was known but not properly mitigated. Since `engine_name` is sourced from module definitions that can be
influenced by administrative configurations, it allows an authenticated attacker to escape the Ruby
sandbox and execute arbitrary system commands on the host OS. Versions 7.4.12 and 8.0.3 fix the issue by
replacing `eval()` with `send()`. (CVE-2026-23885)

See Also

https://github.com/advisories/GHSA-2762-657x-v979

Plugin Details

Severity: Critical

ID: 436865

Version: Revision 1.10

Type: Local

Family: SCA Checks

Published: 1/21/2026

Updated: 6/1/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: High

Score: 7

Percentile: 98.33

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: High

Base Score: 9

Temporal Score: 7

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C

CVSS Score Source: CVE-2026-23885

CVSS v3

Risk Factor: Critical

Base Score: 9.9

Temporal Score: 8.9

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 1/21/2026

Vulnerability Publication Date: 1/19/2026

Reference Information

CVE: CVE-2026-23885

cwe: CWE-95