| Title | RubyLouvre avalon 0.9.9 - 2.2.10 Code Injection / Prototype Pollution |
|---|
| Description | Avalon MVVM framework stores template filters in a plain object (avalon.filters = {}) and accesses them via bracket notation without hasOwnProperty protection. Attackers can access Object.prototype properties through filter names like __proto__ or constructor. Combined with the template parser's use of new Function() for expression compilation, this enables Remote Code Execution when an attacker controls template content. Project is unmaintained since 2019 but still widely used in legacy systems. |
|---|
| Source | ⚠️ https://github.com/OriginSecurityX/avalon-filter-rce |
|---|
| User | Frederick (UID 98351) |
|---|
| Submission | 05/18/2026 12:00 (28 days ago) |
|---|
| Moderation | 06/14/2026 14:27 (27 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 370851 [RubyLouvre avalon up to 2.2.10 Template Filter src/filters/index.js prototype pollution] |
|---|
| Points | 20 |
|---|