Vulnerability DatabaseCVE-2026-44966
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2026-44966
Published:May 26, 2026
Updated:June 11, 2026
Velocity.js is a JavaScript implementation of the Apache Velocity template engine. In 2.1.5 and earlier, a prototype pollution vulnerability was discovered in velocityjs. This issue occurs during the processing of #set directives in Velocity templates. If an application renders a template controlled by an attacker, it is possible to modify Object.prototype, potentially leading to Denial of Service (DoS) or Remote Code Execution (RCE) depending on the server environment.
Affected Packages
velocityjs (NPM):
Affected version(s) >=0.3.1 <2.1.6
Fix Suggestion:
Update to version 2.1.6
Related Resources (3)
https://github.com/shepherdwind/velocity.js
https://github.com/shepherdwind/velocity.js/security/advisories/GHSA-j658-c2gf-x6pq
https://nvd.nist.gov/vuln/detail/CVE-2026-44966
Do you need more information?
Contact Us
CVSS v4
Base Score:
6.9
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
NONE
Vulnerable System Confidentiality
LOW
Vulnerable System Integrity
LOW
Vulnerable System Availability
LOW
Subsequent System Confidentiality
LOW
Subsequent System Integrity
LOW
Subsequent System Availability
LOW
CVSS v3
Base Score:
8.3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality
LOW
Integrity
LOW
Availability
LOW
Weakness Type (CWE)
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CWE-1321
EPSS
Base Score:
0.10