Velocity.js is a JavaScript implementation of the Apache Velocity template engine. In 2.1.5 and earlier, a prototype pollution vulnerability was discovered in velocityjs. This issue occurs during the processing of #set directives in Velocity templates. If an application renders a template controlled by an attacker, it is possible to modify Object.prototype, potentially leading to Denial of Service (DoS) or Remote Code Execution (RCE) depending on the server environment.
History

Tue, 02 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:shepherdwind:velocity.js:*:*:*:*:*:node.js:*:*

Mon, 01 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 27 May 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Shepherdwind
Shepherdwind velocity.js
Vendors & Products Shepherdwind
Shepherdwind velocity.js

Tue, 26 May 2026 21:45:00 +0000

Type Values Removed Values Added
Description Velocity.js is a JavaScript implementation of the Apache Velocity template engine. In 2.1.5 and earlier, a prototype pollution vulnerability was discovered in velocityjs. This issue occurs during the processing of #set directives in Velocity templates. If an application renders a template controlled by an attacker, it is possible to modify Object.prototype, potentially leading to Denial of Service (DoS) or Remote Code Execution (RCE) depending on the server environment.
Title Velocity.js: Prototype Pollution in #set path assignment
Weaknesses CWE-1321
References
Metrics cvssV3_1

{'score': 8.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-05-26T21:21:29.986Z

Updated: 2026-06-01T17:08:58.934Z

Reserved: 2026-05-08T16:23:33.263Z

Link: CVE-2026-44966

cve-icon Vulnrichment

Updated: 2026-06-01T17:08:54.371Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-26T22:16:43.293

Modified: 2026-06-17T10:51:32.720

Link: CVE-2026-44966

cve-icon Redhat

No data.