VDB
DEBIAN-CVE-2026-2950
DEBIAN-CVE-2026-2950
PUBLISHED
CVSS 5.300000190734863 MEDIUM
Impact: Lodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the _.unset and _.omit functions. The fix for (CVE-2025-13465: https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg) only guards against string key members, so an attacker can bypass the check by passing array-wrapped path segments. This allows deletion of properties from built-in prototypes such as Object.prototype, Number.prototype, and String.prototype. The issue permits deletion of prototype properties but does not allow overwriting their original behavior. Patches: This issue is patched in 4.18.0. Workarounds: None. Upgrade to the patched version.
Risk Scores
CVSS 3.1
5.300000190734863
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Debian:12 | node-lodash | 4.17.21+dfsg, 0, 4.18.1+dfsg |
| Debian:11 | node-lodash | *, *, * |
| Debian:13 | node-lodash | *, 0, 4.17.21+dfsg |
| Debian:14 | node-lodash | 0, 4.17.23+dfsg, 4.17.21+dfsg |
Exploit Intelligence
- package.json (github-poc)
- pnpm-workspace.yaml (github-poc)
- 1.69.1.yaml (github-poc)
- VeracodeReportDTO.java (github-poc)
- mockData.ts (github-poc)
- changelog.model.ts (github-poc)
- exploits.js (github-poc)
Timeline
- Mar 31, 2026 CVE Published
- Apr 28, 2026 CVE Updated