Cyber Posture

CVE-2026-44966

High
Microsoft: not affectedMSmacOS: not affectedMacLinux: not affectedLnxMobile: not affectedMobNetwork: not affectedNetApplication: not affectedAppOther: affectedOth

Published: 26 May 2026

Published
26 May 2026
Modified
26 May 2026
KEV Added
Patch
CVSS Score 8.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
EPSS Score 0.0008 22.8th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-44966 is a high-severity Prototype Pollution (CWE-1321) vulnerability. Its CVSS base score is 8.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 22.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique.
Threat & Defense Details

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
attack.mitre.org →
Why these techniques?

Prototype pollution in template processing enables RCE when attacker-controlled templates are rendered in a web app (T1190); achieved via JavaScript execution (T1059.007).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Velocity.js is a JavaScript implementation of the Apache Velocity template engine. In 2.1.5 and earlier, a prototype pollution vulnerability was discovered in velocityjs. This issue occurs during the processing of #set directives in Velocity templates. If an application renders a…

more

template controlled by an attacker, it is possible to modify Object.prototype, potentially leading to Denial of Service (DoS) or Remote Code Execution (RCE) depending on the server environment.

Deeper analysisAI

Automated synthesis unavailable for this CVE.

Details

CWE(s)
CWE-1321

References