Avalon
Monthly
Prototype pollution in RubyLouvre Avalon's Template Filter Handler (src/filters/index.js) allows remote unauthenticated attackers to modify JavaScript Object.prototype attributes by supplying crafted template filter input. All versions through 2.2.10 are affected per the CPE range cpe:2.3:a:rubylouvre:avalon:*:*:*:*:*:*:*:*. No vendor patch exists - the maintainer did not respond to coordinated disclosure - and a public exploit is available on GitHub (OriginSecurityX/avalon-filter-rce), which the repository title characterizes as capable of remote code execution, a materially more severe claim than the CVSS 4.0 VI:L rating assigned by the reporter.
Prototype pollution in RubyLouvre Avalon's Template Filter Handler (src/filters/index.js) allows remote unauthenticated attackers to modify JavaScript Object.prototype attributes by supplying crafted template filter input. All versions through 2.2.10 are affected per the CPE range cpe:2.3:a:rubylouvre:avalon:*:*:*:*:*:*:*:*. No vendor patch exists - the maintainer did not respond to coordinated disclosure - and a public exploit is available on GitHub (OriginSecurityX/avalon-filter-rce), which the repository title characterizes as capable of remote code execution, a materially more severe claim than the CVSS 4.0 VI:L rating assigned by the reporter.