### Vulnerability Overview - **Vulnerability Type**: Authenticated Remote Code Execution (RCE) via eval injection in ResourcesHelper - **Severity**: Moderate (6.6/10) - **Affected Versions**: 7.4.11, 8.0.2 - **Fixed Versions**: 7.4.12, 8.0.3 ### Vulnerability Details - **Summary**: A vulnerability was discovered during a manual security audit of the AlchemyCMS source code. The application uses Ruby's `eval()` function to dynamically execute strings provided by the `resource_handler.engine_name` attribute. - **Detailed Description**: The vulnerability is located on line 28 of the file `app/helpers/alchemy/resources_helper.rb`. The code explicitly bypasses security checks by using a dangerous function without proper mitigation. Since `engine_name` can be influenced by administrative configuration, an attacker can bypass the Ruby sandbox and execute arbitrary commands on the host operating system. ### Proof of Concept (PoC) - **Critical Code**: ```ruby def resource_url_proxy(resource_handler) if resource_handler.engine_name && !resource_handler.engine_name.empty? eval(resource_handler.engine_name) end end ``` - **PoC Script**: Demonstrates that the `eval` function can be directly exploited, creating a verification file and successfully executing a command. ### Additional Information - **CVE ID**: CVE-2026-23885 - **Weakness Type**: CWE-95 (Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')) - **Reporter**: TheDeepOpC This information is crucial for understanding the severity, scope, and remediation of the vulnerability.