-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security

Vulnerability Details

Registries

Custom Views

Weaknesses

Attack Patterns

Filters & Tools

velocity.js

Source -

CNANVD

CNA CVEs -

1

ADP CVEs -

0

CISA CVEs -

0

NVD CVEs -

1

Related CVEs Related Vendors Related Assigners Reports

1Vulnerabilities found

Assigner-GitHub, Inc.

Assigner-GitHub, Inc.

CVSS Score-8.3||HIGH

EPSS-0.10% / 27.57%

||

7 Day CHG~0.00%

Published-26 May, 2026 | 21:21

Updated-02 Jun, 2026 | 18:40

Rejected-Not Available

Known To Be Used In Ransomware Campaigns?-Not Available

KEV Added-Not Available

KEV Action Due Date-Not Available

Velocity.js: Prototype Pollution in #set path assignment

Velocity.js is a JavaScript implementation of the Apache Velocity template engine. In 2.1.5 and earlier, a prototype pollution vulnerability was discovered in velocityjs. This issue occurs during the processing of #set directives in Velocity templates. If an application renders a template controlled by an attacker, it is possible to modify Object.prototype, potentially leading to Denial of Service (DoS) or Remote Code Execution (RCE) depending on the server environment.

Action-Not Available

Vendor-shepherdwind shepherdwind

Product-velocity.js velocity.js

CWE ID-CWE-1321

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')