HIGH
shepherdwind
CVE published 2026-05-26
CVE-2026-44966
A prototype pollution vulnerability in velocityjs ≤2.1.5 allows attackers to modify Object.prototype through malicious #set directives in Velocity templates. When applications render attacker-controlled templates, this can escalate to Denial of Service or Remote Code Execution depending on server environment configuration. The vulnerability stems from improper handling of property assignment during templa [truncated]