2 brand new advisories

Author: jasnow

gems/alchemy_cms/CVE-2026-23885.yml

@@ -0,0 +1,45 @@
+---
+gem: alchemy_cms
+cve: 2026-23885
+ghsa: 2762-657x-v979
+url: https://github.com/AlchemyCMS/alchemy_cms/security/advisories/GHSA-2762-657x-v979
+title: AlchemyCMS - Authenticated Remote Code Execution (RCE) via
+  eval injection in ResourcesHelper
+date: 2026-01-21
+description: |
+  ### Summary
+
+  A vulnerability was discovered during a manual security audit
+  of the AlchemyCMS source code. The application uses the Ruby
+  `eval()` function to dynamically execute a string provided by the
+  `resource_handler.engine_name` attribute in
+  `Alchemy::ResourcesHelper#resource_url_proxy`.
+
+  ### Details
+
+  The vulnerability exists in `app/helpers/alchemy/resources_helper.rb`
+  at line 28. The code explicitly bypasses security linting with
+  `# rubocop:disable Security/Eval`, indicating that the use of a
+  dangerous function was known but not properly mitigated.
+
+  Since `engine_name` is sourced from module definitions that can be
+  influenced by administrative configurations, it allows an authenticated
+  attacker to escape the Ruby sandbox and execute arbitrary system
+  commands on the host OS.
+
+  But, for this attack to be possible local file access to the alchemy
+  project or the source on a remote server is necessary in order to
+  manipulate the module config file, though.
+cvss_v3: 6.6
+patched_versions:
+  - "~> 7.4.12"
+  - ">= 8.0.3"
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2026-23885
+    - https://github.com/AlchemyCMS/alchemy_cms/security/advisories/GHSA-2762-657x-v979
+    - https://github.com/AlchemyCMS/alchemy_cms/commit/55d03ec600fd9e07faae1138b923790028917d26
+    - https://github.com/AlchemyCMS/alchemy_cms/commit/563c4ce45bf5813b7823bf3403ca1fc32cb769e7
+    - https://github.com/AlchemyCMS/alchemy_cms/releases/tag/v7.4.12
+    - https://github.com/AlchemyCMS/alchemy_cms/releases/tag/v8.0.3
+    - https://github.com/advisories/GHSA-2762-657x-v979

rubies/mruby/CVE-2021-46020.yml

@@ -0,0 +1,34 @@
+---
+engine: mruby
+cve: 2021-46020
+ghsa: f639-3h6h-vr46
+url: https://github.com/advisories/GHSA-f639-3h6h-vr46
+title: An untrusted pointer dereference in mrb_vm_exec() of mruby 3.0.0
+date: 2022-01-14
+description: |
+  An untrusted pointer dereference in mrb_vm_exec() of mruby v3.0.0
+  can lead to a segmentation fault or application crash.
+
+  ## PATCH INFO
+
+  - Mruby #5613 described the issue and Matz cited #5619 and #5620
+    as "been addressed" on 2/16/2022.
+  - Found the #5619 commit on 12/31/2021 in 3.1.0-rc release.
+  - Found the #5620 commit on  1/02/2022 in 3.1.0-rc release.
+  - 3.1.0-rc was released on 1/17/2022.
+cvss_v2: 5.0
+cvss_v3: 7.3
+patched_versions:
+  - ">= 3.1.0-rc"
+related:
+  url:
+    - https://github.com/advisories/GHSA-f639-3h6h-vr46
+    - https://nvd.nist.gov/vuln/detail/CVE-2021-46020
+    - https://mruby.org/releases/2022/03/12/mruby-3.1.0-released.html
+    - https://github.com/mruby/mruby/blob/master/doc/mruby3.1.md
+    - https://github.com/mruby/mruby/issues/5613
+    - https://github.com/mruby/mruby/pull/5619
+    - https://github.com/mruby/mruby/pull/5619/commits/a137ef12f981b517f1e6b64e39edc7ac15d7e1eb
+    - https://github.com/mruby/mruby/pull/5620
+    - https://github.com/mruby/mruby/pull/5620/commits/d3b7601af96c9e0eeba4c89359289661c755a74a
+    - https://github.com/mruby/mruby/commit/7f40b645d2773c8f50c48ae4adf90488e164da55