Velocity.js is a JavaScript implementation of the Apache Velocity template engine. In 2.1.5 and earlier, a prototype pollution vulnerability was discovered in velocityjs. This issue occurs during the processing of #set directives in Velocity templates. If an application renders a template controlled by an attacker, it is possible to modify Object.prototype, potentially leading to Denial of Service (DoS) or Remote Code Execution (RCE) depending on the server environment.
Metrics
Affected Vendors & Products
References
History
Tue, 02 Jun 2026 18:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| CPEs | cpe:2.3:a:shepherdwind:velocity.js:*:*:*:*:*:node.js:*:* |
Mon, 01 Jun 2026 17:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Wed, 27 May 2026 10:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Shepherdwind
Shepherdwind velocity.js |
|
| Vendors & Products |
Shepherdwind
Shepherdwind velocity.js |
Tue, 26 May 2026 21:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Velocity.js is a JavaScript implementation of the Apache Velocity template engine. In 2.1.5 and earlier, a prototype pollution vulnerability was discovered in velocityjs. This issue occurs during the processing of #set directives in Velocity templates. If an application renders a template controlled by an attacker, it is possible to modify Object.prototype, potentially leading to Denial of Service (DoS) or Remote Code Execution (RCE) depending on the server environment. | |
| Title | Velocity.js: Prototype Pollution in #set path assignment | |
| Weaknesses | CWE-1321 | |
| References |
| |
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2026-06-01T17:08:58.934Z
Reserved: 2026-05-08T16:23:33.263Z
Link: CVE-2026-44966
Updated: 2026-06-01T17:08:54.371Z
Status : Analyzed
Published: 2026-05-26T22:16:43.293
Modified: 2026-06-17T10:51:32.720
Link: CVE-2026-44966
No data.
OpenCVE Enrichment
Updated: 2026-05-27T10:08:19Z