CVE-2026-44966 PUBLISHED

Velocity.js: Prototype Pollution in #set path assignment

Assigner: GitHub_M
Reserved: 08.05.2026 Published: 26.05.2026 Updated: 26.05.2026

Velocity.js is a JavaScript implementation of the Apache Velocity template engine. In 2.1.5 and earlier, a prototype pollution vulnerability was discovered in velocityjs. This issue occurs during the processing of #set directives in Velocity templates. If an application renders a template controlled by an attacker, it is possible to modify Object.prototype, potentially leading to Denial of Service (DoS) or Remote Code Execution (RCE) depending on the server environment.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
CVSS Score: 8.3

Attack Vector	Network	Scope	Changed
Attack Complexity	Low	Confidentiality Impact	Low
Privileges Required	None	Integrity Impact	Low
User Interaction	None	Availability Impact	Low

CVSS 3.1

Product Status

Vendor	shepherdwind
Product	velocity.js
Versions	Version <= 2.1.5 is affected

References

https://github.com/shepherdwind/velocity.js/security/advisories/GHSA-j658-c2gf-x6pq

Problem Types

CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') CWE