Rails

An unauthenticated API endpoint, `GET /api/pages/nested`, in Alchemy CMS versions up to 8.2.5 (including all 8.x versions prior to a fix and all 7.x versions up to 7.4.14), fails to enforce authorization and scoping checks, allowing any anonymous user to retrieve the complete page tree, encompassing restricted and unpublished pages, and, with `?elements=true`, the full content of these sensitive pages, completely bypassing intended access controls and leading to unauthorized information disclosure.

A remote, anonymous attacker can exploit a vulnerability in Ruby and Ruby on Rails to bypass security measures and execute arbitrary code.

A deserialization vulnerability exists in Ruby ERB versions before 4.0.3.1, version 4.0.4, ERB versions 5.0.0 before 6.0.1.1, and ERB versions 6.0.2 before 6.0.4. The `@_init` instance variable guard in `ERB#result` and `ERB#run` can be bypassed via `ERB#def_module`, `ERB#def_method`, and `ERB#def_class`, allowing arbitrary code execution when an ERB object is reconstructed via `Marshal.load` on untrusted data.

A denial-of-service vulnerability (CVE-2026-33174) exists in Ruby on Rails Active Storage versions prior to 8.1.2.1, 8.0.4.1, and 7.2.3.1 due to unbounded memory allocation when handling large or unbounded Range headers in proxy delivery mode.