Skip to content
Threat Feed

Product

Velocityjs <= 2.1.5

1 brief RSS
high advisory

Velocity.js Prototype Pollution Vulnerability via #set Directive (CVE-2026-44966)

A prototype pollution vulnerability exists in Velocity.js versions 2.1.5 and earlier, allowing attackers to modify Object.prototype via crafted #set directives in Velocity templates, potentially leading to Denial of Service (DoS) or Remote Code Execution (RCE).

velocityjs <= 2.1.5 prototype-pollution vulnerability velocity.js CVE-2026-44966
2r 1t