cbcvebase.
CVE-2026-2950
published 2026-03-31

CVE-2026-2950: Impact: Lodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the _.unset and _.omit functions. The fix for (CVE-2025-13465…

PriorityP430medium5.3CVSS 3.1
AVNACLPRNUINSUCNILAN
EPSS
0.32%
23.4th percentile
Impact: Lodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the _.unset and _.omit functions. The fix for (CVE-2025-13465: https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg) only guards against string key members, so an attacker can bypass the check by passing array-wrapped path segments. This allows deletion of properties from built-in prototypes such as Object.prototype, Number.prototype, and String.prototype. The issue permits deletion of prototype properties but does not allow overwriting their original behavior. Patches: This issue is patched in 4.18.0. Workarounds: None. Upgrade to the patched version.

Affected

10 ranges
VendorProductVersion rangeFixed in
debiannode-lodash< node-lodash 4.18.1+dfsg-1 (forky)node-lodash 4.18.1+dfsg-1 (forky)
lodash.unsetlodash.unset>= 4.0.0 < 4.18.04.18.0
lodashlodash>= 0 < 4.18.04.18.0
lodashlodash>= 4.0.0 < 4.17.234.17.23
lodashlodash-amd>= 0 < 4.18.04.18.0
lodashlodash-amd>= 4.0.0 < 4.17.234.17.23
lodashlodash-es>= 0 < 4.18.04.18.0
lodashlodash-es>= 4.0.0 < 4.17.234.17.23
lodashlodash.unset>= 4.0.0
ubuntunode-lodash

CVSS provenance

nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
ghsa6.9MEDIUM
osv6.9MEDIUM
vendor_debian6.9MEDIUM
vendor_redhat5.3MEDIUM
vendor_ubuntu5.3MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.