CVE-2026-12209

Summary

A security vulnerability has been detected in RubyLouvre avalon up to 2.2.10. The impacted element is an unknown function of the file src/filters/index.js of the component Template Filter Handler. Such manipulation leads to improperly controlled modification of object prototype attributes. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Affected Software

VendorProductVersion RangeStatus
RubyLouvreavalon2.2.0affected
RubyLouvreavalon2.2.1affected
RubyLouvreavalon2.2.2affected
RubyLouvreavalon2.2.3affected
RubyLouvreavalon2.2.4affected
RubyLouvreavalon2.2.5affected
RubyLouvreavalon2.2.6affected
RubyLouvreavalon2.2.7affected
RubyLouvreavalon2.2.8affected
RubyLouvreavalon2.2.9affected
RubyLouvreavalon2.2.10affected

Weaknesses

  • CWE-1321: Improperly Controlled Modification of Object Prototype Attributes
  • CWE-94: Code Injection

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: yes
    • Technical Impact: partial

References