Description
A security vulnerability has been detected in RubyLouvre avalon up to 2.2.10. The impacted element is an unknown function of the file src/filters/index.js of the component Template Filter Handler. Such manipulation leads to improperly controlled modification of object prototype attributes. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-06-15
Score: 6.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A prototype pollution flaw exists within an unknown function of src/filters/index.js in RubyLouvre Avalon up to version 2.2.10. The flaw permits an attacker to alter object prototype attributes, which can lead to arbitrary code execution or other malicious outcomes. The vendor was notified but did not respond.

Affected Systems

RubyLouvre Avalon, versions up to and including 2.2.10 are affected. No official patch or fix has been released.

Risk and Exploitability

The CVSS score is 6.9, indicating a moderate to high risk. The EPSS score is not available, so the current exploitation probability cannot be quantified, and the issue is not listed in CISA KEV. Exploitation is possible remotely by sending crafted input to the Template Filter Handler. An attacker could manipulate prototype attributes to achieve code execution or other unintended behavior.

Generated by OpenCVE AI on June 15, 2026 at 04:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a version of RubyLouvre Avalon released after 2.2.10 or apply a vendor‐supplied patch when it becomes available.
  • If an upgrade is not feasible, disable or tightly restrict access to the endpoint that invokes the Template Filter Handler so that only trusted internal processes can use it.
  • Implement additional input validation or a sandboxed evaluation of filter payloads to block prototype property modifications and command injection, and consider WAF rules that detect suspicious template patterns.

Generated by OpenCVE AI on June 15, 2026 at 04:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 15 Jun 2026 03:00:00 +0000

Type Values Removed Values Added
Description A security vulnerability has been detected in RubyLouvre avalon up to 2.2.10. The impacted element is an unknown function of the file src/filters/index.js of the component Template Filter Handler. Such manipulation leads to improperly controlled modification of object prototype attributes. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title RubyLouvre avalon Template Filter index.js prototype pollution
First Time appeared Rubylouvre
Rubylouvre avalon
Weaknesses CWE-1321
CWE-94
CPEs cpe:2.3:a:rubylouvre:avalon:*:*:*:*:*:*:*:*
Vendors & Products Rubylouvre
Rubylouvre avalon
References
Metrics cvssV2_0

{'score': 5, 'vector': 'AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 5.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Rubylouvre Avalon
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-15T02:15:07.361Z

Reserved: 2026-06-14T12:27:55.933Z

Link: CVE-2026-12209

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-15T03:16:24.167

Modified: 2026-06-15T03:16:24.167

Link: CVE-2026-12209

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-15T04:30:29Z

Weaknesses
  • CWE-1321

    Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

  • CWE-94

    Improper Control of Generation of Code ('Code Injection')