CVE-2026-44966

Name of the Vulnerable Software and Affected Versions Velocity.js versions prior to 2.1.6

Description A prototype pollution issue exists during the processing of #set directives in templates. The engine accepts arbitrary path keys and performs assignments in the /src/compile/set.ts file using the logic (baseRef as Record<string, unknown>)[key] = val. Due to a lack of validation or filtering for sensitive keys such as proto, constructor, or prototype, an attacker can traverse the prototype chain and pollute the global Object.prototype. This can lead to Denial of Service (DoS) or Remote Code Execution (RCE) depending on the server environment.

Recommendations Update to a version newer than 2.1.5.