{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/velocity.js/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["velocityjs \u003c= 2.1.5"],"_cs_severities":["high"],"_cs_tags":["prototype-pollution","vulnerability","velocity.js","CVE-2026-44966"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA prototype pollution vulnerability has been identified in Velocity.js, specifically affecting versions 2.1.5 and earlier. The vulnerability, designated as CVE-2026-44966, stems from improper input validation within the \u003ccode\u003e#set\u003c/code\u003e directive\u0026rsquo;s path assignment logic in Velocity templates. This flaw allows an attacker to manipulate the \u003ccode\u003eObject.prototype\u003c/code\u003e if they can influence the content of a Velocity template being rendered by an application. Successful exploitation could lead to a Denial of Service (DoS) or, depending on the server environment\u0026rsquo;s configuration, Remote Code Execution (RCE). The vulnerability was reported on May 9, 2026. Applications utilizing Velocity.js to render templates based on user-supplied or externally influenced data are most at risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a Velocity template rendering endpoint within an application.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious Velocity template containing a \u003ccode\u003e#set\u003c/code\u003e directive that targets the \u003ccode\u003eObject.prototype\u003c/code\u003e. Specifically, the template includes a payload like \u003ccode\u003e#set($__proto__.polluted = \u0026quot;hacked\u0026quot;)\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker injects the malicious template into the application, either by directly supplying the template content, manipulating template variables, or exploiting other injection points.\u003c/li\u003e\n\u003cli\u003eThe Velocity engine processes the malicious template, and the \u003ccode\u003e#set\u003c/code\u003e directive is executed.\u003c/li\u003e\n\u003cli\u003eDue to the lack of input validation on the path within the \u003ccode\u003e#set\u003c/code\u003e directive, the engine directly assigns the attacker-controlled value to the \u003ccode\u003eObject.prototype\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eObject.prototype\u003c/code\u003e is now polluted, meaning all JavaScript objects inherit the attacker-defined property and value.\u003c/li\u003e\n\u003cli\u003eThe application\u0026rsquo;s behavior becomes unpredictable, potentially leading to a Denial of Service as the polluted prototype disrupts normal operations.\u003c/li\u003e\n\u003cli\u003eIn certain environments, the prototype pollution can be chained with other vulnerabilities (e.g., gadget chains) to achieve Remote Code Execution (RCE).\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis vulnerability allows an attacker to pollute the \u003ccode\u003eObject.prototype\u003c/code\u003e in Velocity.js applications. The impact of successful exploitation ranges from Denial of Service (DoS) to Remote Code Execution (RCE), depending on the specific environment and application logic. Any application using Velocity.js version 2.1.5 or earlier is potentially vulnerable if it renders templates that can be influenced by untrusted users. Prototype pollution can bypass security controls and cause unexpected application behavior.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to a patched version of Velocity.js that addresses the prototype pollution vulnerability.\u003c/li\u003e\n\u003cli\u003eSanitize user-supplied data used in Velocity templates to prevent the injection of malicious \u003ccode\u003e#set\u003c/code\u003e directives targeting \u003ccode\u003eObject.prototype\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Velocity.js Prototype Pollution Attempt via set Directive\u0026rdquo; to identify attempts to exploit CVE-2026-44966 in web server logs.\u003c/li\u003e\n\u003cli\u003eImplement input validation on template variables to prevent the use of special characters like \u003ccode\u003e__proto__\u003c/code\u003e or \u003ccode\u003econstructor\u003c/code\u003e that could be used for prototype pollution.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious POST requests to Velocity template rendering endpoints with payloads containing \u003ccode\u003e__proto__\u003c/code\u003e in the query parameters, as detected by the Sigma rule.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-09T00:40:16Z","date_published":"2026-05-09T00:40:16Z","id":"/briefs/2024-01-velocityjs-prototype-pollution/","summary":"A prototype pollution vulnerability exists in Velocity.js versions 2.1.5 and earlier, allowing attackers to modify Object.prototype via crafted #set directives in Velocity templates, potentially leading to Denial of Service (DoS) or Remote Code Execution (RCE).","title":"Velocity.js Prototype Pollution Vulnerability via #set Directive (CVE-2026-44966)","url":"https://feed.craftedsignal.io/briefs/2024-01-velocityjs-prototype-pollution/"}],"language":"en","title":"CraftedSignal Threat Feed — Velocity.js","version":"https://jsonfeed.org/version/1.1"}