CVE-2026-44966

8.3 HIGH

Velocity.js is a JavaScript implementation of the Apache Velocity template engine

Published: 2026-05-26 · Last updated: 2026-06-02

Severity and scoring

CVSS: 8.3 HIGH
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
CWE: CWE-1321

Affected products

Vendor	Product
shepherdwind	velocity.js

Description

Velocity.js is a JavaScript implementation of the Apache Velocity template engine. In 2.1.5 and earlier, a prototype pollution vulnerability was discovered in velocityjs. This issue occurs during the processing of #set directives in Velocity templates. If an application renders a template controlled by an attacker, it is possible to modify Object.prototype, potentially leading to Denial of Service (DoS) or Remote Code Execution (RCE) depending on the server environment.

Source: NVD

References

[NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-44966
[Vendor advisory]https://github.com/shepherdwind/velocity.js/security/advisories/GHSA-j658-c2gf-x6pq

Related CVEs

Same CWE

CVE-2026-46625 — JavaScript Cookie is a JavaScript API for handling cookies, client-side (7.5 HIGH)
CVE-2026-45302 — parse-nested-form-data is a tiny node module for parsing FormData by name into objects and arrays (8.2 HIGH)
CVE-2026-46510 — form-data-objectizer converts FormData to object (8.2 HIGH)
CVE-2026-46509 — deepobj provides get, set, delete deep objects in javascript (8.2 HIGH)
CVE-2026-44483 — RVF (formerly Remix Validated Form) provides easy form validation and state management for React (8.2 HIGH)