PatchSiren cyber security CVE debrief
CVE-2026-44966 shepherdwind CVE debrief
A prototype pollution vulnerability in velocityjs ≤2.1.5 allows attackers to modify Object.prototype through malicious #set directives in Velocity templates. When applications render attacker-controlled templates, this can escalate to Denial of Service or Remote Code Execution depending on server environment configuration. The vulnerability stems from improper handling of property assignment during template processing, enabling pollution of the global object prototype chain.
- Vendor
- shepherdwind
- Product
- velocity.js
- CVSS
- HIGH 8.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-26
- Original CVE updated
- 2026-05-26
- Advisory published
- 2026-05-26
- Advisory updated
- 2026-05-26
Who should care
Organizations using velocityjs for server-side or client-side template rendering, particularly those accepting user-generated template content or dynamically constructing templates from untrusted sources. Development teams with Node.js applications processing Velocity templates should prioritize assessment. Security operations teams should monitor for exploitation attempts against template rendering endpoints.
Technical summary
The velocityjs library (JavaScript implementation of Apache Velocity template engine) versions 2.1.5 and earlier contain a prototype pollution vulnerability in the processing of #set directives. When an application renders attacker-controlled Velocity templates, malicious template syntax can traverse and modify Object.prototype properties. This pollution propagates to all objects inheriting from the polluted prototype, potentially enabling property injection attacks that can cause application crashes (DoS) or, in environments with vulnerable gadget chains, achieve Remote Code Execution. The attack requires network access to an application endpoint that renders untrusted template content without adequate isolation or sanitization.
Defensive priority
HIGH
Recommended defensive actions
- Audit applications for velocityjs template rendering with untrusted input; upgrade to patched version when available
- Implement strict input validation and sanitization for all Velocity template content before processing
- Deploy Content Security Policy and template sandboxing to isolate rendering contexts
- Monitor for anomalous prototype modification attempts in application logs
- Review dependency trees to identify transitive velocityjs usage in supply chain
Evidence notes
Official CVE record published 2026-05-26. GitHub Security Advisory GHSA-j658-c2gf-x6pq confirms prototype pollution via #set directives in velocityjs ≤2.1.5. CVSS 3.1 score 8.3 (HIGH) with vector AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L indicates network-exploitable, low-complexity attack with significant scope impact. CWE-1321 (Improperly Controlled Modification of Object Prototype Attributes) classified as primary weakness.
Official resources
-
CVE-2026-44966 CVE record
CVE.org
-
CVE-2026-44966 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
2026-05-26