CVE-2026-2950

CWE-1321 — Prototype Pollution8 documents6 sources

Severity

5.3MEDIUM

EPSS

0.1%

top 78.27%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Lodash Lodash Lodash Lodash-amd Lodash Lodash-es +1 more

Timeline

PublishedMar 31

Latest updateApr 1

Description

Impact: Lodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the _.unset and _.omit functions. The fix for (CVE-2025-13465: https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg) only guards against string key members, so an attacker can bypass the check by passing array-wrapped path segments. This allows deletion of properties from built-in prototypes such as Object.prototype, Number.prototype, and String.prototype. The issue permits deletion of prot…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:LExploitability: 3.9 | Impact: 2.5

Affected Packages13 packages

▶npmlodash.unset4.0.0 — 4.18.0

▶CVEListV5lodash/lodash.unset4.0.0 — 4.18.0

▶NVDlodash/lodash.unset

▶npmlodash< 4.18.0

▶npmlodash-es< 4.18.0

🔴Vulnerability Details

GHSA

lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit`↗2026-04-01

▶

OSV

lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit`↗2026-04-01

▶

CVEList

lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit`↗2026-03-31

▶

OSV

CVE-2026-2950: Impact: Lodash versions 4↗2026-03-31

▶

📋Vendor Advisories

Debian

CVE-2026-2950: node-lodash - Impact: Lodash versions 4.17.23 and earlier are vulnerable to prototype polluti...↗2026

▶

🕵️Threat Intelligence

Wiz

CVE-2026-2950 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶