Velocity.js has a Prototype Pollution vulnerability through #set path assignment

Description

A prototype pollution vulnerability was discovered in Velocity.js <= 2.1.5. This issue occurs during the processing of #set directives in Velocity templates. If an application renders a template controlled by an attacker, it is possible to modify Object.

Recommendation

No fix is available yet. Followings are affected versions:

• <= 2.1.5

References

• GHSA-j658-c2gf-x6pq
• CVE-2026-44966
• CWE-1321
• CAPEC-310
• OWASP 2021-A6

Related Issues

• liquidjs has a path traversal fallback vulnerability - CVE-2026-30952
• devalue has prototype pollution in devalue.parse and devalue.unflatten - CVE-2026-30226
• Axios has prototype pollution read-side gadgets in HTTP adapter that allow credential injection and request hijacking - CVE-2026-42264
• Bun has an Application-level Prototype Pollution vulnerability in the runtime native API for Glo - CVE-2024-21548

You might also like:

Apache and Express Path Traversal plus Nginx Restriction Bypass Tests with SmartScanner

CSRF, XXE, and 12 Other Security Acronyms Explained

How do hackers hack websites?

Tags:

npm

velocityjs