VDB
CVE-2026-2950
CVE-2026-2950
PUBLISHED
CVSS 6.5 MEDIUM
Impact: Lodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the _.unset and _.omit functions. The fix for (CVE-2025-13465: https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg) only guards against string key members, so an attacker can bypass the check by passing array-wrapped path segments. This allows deletion of properties from built-in prototypes such as Object.prototype, Number.prototype, and String.prototype. The issue permits deletion of prototype properties but does not allow overwriting their original behavior. Patches: This issue is patched in 4.18.0. Workarounds: None. Upgrade to the patched version.
EPSS 0.03% · 7.6th percentile
Risk Scores
CVSS v3.1
6.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
EPSS Score
0.03%
7.6th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Azure | functions | |
| lodash | lodash-es | 4.18.0, 4.17.23 |
| lodash | lodash.unset | 4.18.0, 4.0.0 |
| lodash | lodash-amd | 4.18.0, 4.17.23 |
| lodash | lodash | 4.17.23, 4.18.0 |
| Oracle Cloud | functions |
Timeline
- Mar 31, 2026 CVE Published
- Mar 31, 2026 PoC Published
- Apr 2, 2026 Security Advisory
- May 18, 2026 EPSS Score
- May 19, 2026 EPSS Score
- May 20, 2026 EPSS Score
- May 21, 2026 EPSS Score
- May 22, 2026 EPSS Score
- May 23, 2026 EPSS Score
- May 24, 2026 EPSS Score
- May 25, 2026 EPSS Score
- May 26, 2026 EPSS Score
References
- https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/37405 advisory
- https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/37404 advisory
- https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg url
- https://www.ibm.com/support/pages/node/7271707 advisory
- https://www.ibm.com/support/pages/node/7271922 advisory
- https://www.ibm.com/support/pages/node/7271681 advisory
- https://www.ibm.com/support/pages/node/7271765 advisory
- https://www.ibm.com/support/pages/node/7270805 advisory
- https://www.ibm.com/support/pages/node/7270827 advisory
- https://www.ibm.com/support/pages/node/7270869 advisory
- https://www.ibm.com/support/pages/node/7270820 advisory
- https://www.ibm.com/support/pages/node/7270845 advisory
- https://www.ibm.com/support/pages/node/7270868 advisory
- https://www.ibm.com/support/pages/node/7270775 advisory
- https://www.ibm.com/support/pages/node/7270692 advisory
- https://www.ibm.com/support/pages/node/7274185 advisory
- https://www.ibm.com/support/pages/node/7274154 advisory
- https://www.ibm.com/support/pages/node/7274180 advisory
- https://www.ibm.com/support/pages/node/7274183 advisory
- https://www.ibm.com/support/pages/node/7273957 advisory
…and 6 more