Velocity.js has a Prototype Pollution vulnerability through #set path assignment

Description

A prototype pollution vulnerability was discovered in Velocity.js <= 2.1.5. This issue occurs during the processing of #set directives in Velocity templates. If an application renders a template controlled by an attacker, it is possible to modify Object.

Recommendation

No fix is available yet. Followings are affected versions:

• <= 2.1.5

References

• GHSA-j658-c2gf-x6pq
• CVE-2026-44966
• CWE-1321
• CAPEC-310
• OWASP 2021-A6

Related Issues

• lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit` - CVE-2026-2950
• lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit` - lodash.unset - CVE-2026-2950
• i18next-http-middleware: Prototype pollution and path traversal via user-controlled language and namespace parameters - CVE-2026-41690
• Lodash has Prototype Pollution Vulnerability in `_.unset` and `_.omit` functions - lodash-amd - CVE-2025-13465

You might also like:

Apache and Express Path Traversal plus Nginx Restriction Bypass Tests with SmartScanner

CSRF, XXE, and 12 Other Security Acronyms Explained

How do hackers hack websites?

Tags:

npm

velocityjs