CVE-2026-44966

Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
26/05/2026
Last modified:
02/06/2026

Description

Velocity.js is a JavaScript implementation of the Apache Velocity template engine. In 2.1.5 and earlier, a prototype pollution vulnerability was discovered in velocityjs. This issue occurs during the processing of #set directives in Velocity templates. If an application renders a template controlled by an attacker, it is possible to modify Object.prototype, potentially leading to Denial of Service (DoS) or Remote Code Execution (RCE) depending on the server environment.

Vulnerable products and versions

CPE From Up to
cpe:2.3:a:shepherdwind:velocity.js:*:*:*:*:*:node.js:*:* 2.1.5 (including)