CVE-2026-44966HIGH 8.3EPSS p35.6%

CVE-2026-44966CVE-2026-44966

shepherdwind / velocity.js

Description

Velocity.js is a JavaScript implementation of the Apache Velocity template engine. In 2.1.5 and earlier, a prototype pollution vulnerability was discovered in velocityjs. This issue occurs during the processing of #set directives in Velocity templates. If an application renders a template controlled by an attacker, it is possible to modify Object.prototype, potentially leading to Denial of Service (DoS) or Remote Code Execution (RCE) depending on the server environment.

Scoring

CVSS 3.18.3 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
EPSS0.45% probability of exploitation · percentile 35.6% · 2026-06-19T12:03:05Z
Published2026-05-26
Last modified2026-06-02

Underlying weaknesses· 1

CWE-1321

References

  1. https://github.com/shepherdwind/velocity.js/security/advisories/GHSA-j658-c2gf-x6pq

1

TypeTargetConfidenceTier
WeaknessImproperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')cwe-13210%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-49223
CVE
CVE-2026-44291
CVE
CVE-2026-29063
CVE
CVE-2026-44483
CVE
CVE-2025-13465
CVE
CVE-2026-46509
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.