CVE-2026-44966
HIGHVelocity.js: Prototype Pollution in #set path assignment
Title source: cnaDescription
Velocity.js is a JavaScript implementation of the Apache Velocity template engine. In 2.1.5 and earlier, a prototype pollution vulnerability was discovered in velocityjs. This issue occurs during the processing of #set directives in Velocity templates. If an application renders a template controlled by an attacker, it is possible to modify Object.prototype, potentially leading to Denial of Service (DoS) or Remote Code Execution (RCE) depending on the server environment.
References (1)
Core 1
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/shepherdwind/velocity.js/security/advisories/GHSA-j658-c2gf-x6pq
Scores
CVSS v3
8.3
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
Details
CWE
CWE-1321
Status
published
Products (1)
shepherdwind/velocity.js
<= 2.1.5
Published
May 26, 2026
Tracked Since
May 27, 2026