CVE-2026-2950
published 2026-03-31CVE-2026-2950: Impact: Lodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the _.unset and _.omit functions. The fix for (CVE-2025-13465…
PriorityP430medium5.3CVSS 3.1
AVNACLPRNUINSUCNILAN
EPSS
0.32%
23.4th percentile
Impact:
Lodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the _.unset and _.omit functions. The fix for (CVE-2025-13465: https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg) only guards against string key members, so an attacker can bypass the check by passing array-wrapped path segments. This allows deletion of properties from built-in prototypes such as Object.prototype, Number.prototype, and String.prototype.
The issue permits deletion of prototype properties but does not allow overwriting their original behavior.
Patches:
This issue is patched in 4.18.0.
Workarounds:
None. Upgrade to the patched version.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | node-lodash | < node-lodash 4.18.1+dfsg-1 (forky) | node-lodash 4.18.1+dfsg-1 (forky) |
| lodash.unset | lodash.unset | >= 4.0.0 < 4.18.0 | 4.18.0 |
| lodash | lodash | >= 0 < 4.18.0 | 4.18.0 |
| lodash | lodash | >= 4.0.0 < 4.17.23 | 4.17.23 |
| lodash | lodash-amd | >= 0 < 4.18.0 | 4.18.0 |
| lodash | lodash-amd | >= 4.0.0 < 4.17.23 | 4.17.23 |
| lodash | lodash-es | >= 0 < 4.18.0 | 4.18.0 |
| lodash | lodash-es | >= 4.0.0 < 4.17.23 | 4.17.23 |
| lodash | lodash.unset | >= 4.0.0 | — |
| ubuntu | node-lodash | — | — |
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
ghsa6.9MEDIUM
osv6.9MEDIUM
vendor_debian6.9MEDIUM
vendor_redhat5.3MEDIUM
vendor_ubuntu5.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Lodash vulnerabilities
vendor_ubuntu·2026-06-09·CVSS 5.3
CVE-2025-13465 [MEDIUM] Lodash vulnerabilities
Title: Lodash vulnerabilities
Summary: Several security issues were fixed in Lodash.
It was discovered that Lodash was vulnerable to a prototype pollution
issue in the zipObjectDeep function. An attacker could possibly use this
issue to modify application behavior. This issue only affected Ubuntu
18.04 LTS and Ubuntu 20.04 LTS. (CVE-2020-8203)
Liyuan Chen discovered that Lodash was vulnerable to a regular
expression denial of service issue in the toNumber, trim, and trimEnd
functions. An attacker could possibly use this issue to consume
excessive system resources, resulting in a denial of service. This issue
only affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. (CVE-2020-28500)
Marc Hassan discovered that Lodash did not properly sanitize input to
the template function. An attacker could
Red Hat
lodash: Lodash: Prototype pollution allows deletion of built-in prototype properties via array path bypass
vendor_redhat·2026-03-31·CVSS 5.3
CVE-2026-2950 [MEDIUM] CWE-915 lodash: Lodash: Prototype pollution allows deletion of built-in prototype properties via array path bypass
lodash: Lodash: Prototype pollution allows deletion of built-in prototype properties via array path bypass
A flaw was found in Lodash. An attacker can exploit a prototype pollution vulnerability in the `_.unset` and `_.omit` functions by bypassing a security check. This bypass is achieved by providing array-wrapped path segments, which allows for the deletion of properties from built-in JavaScript prototypes such as `Object.prototype`. This could lead to unexpected application behavior or denial of service.
Mitigation: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.
Package: openshift-sandboxed-containe
Debian
CVE-2026-2950: node-lodash - Impact: Lodash versions 4.17.23 and earlier are vulnerable to prototype polluti...
vendor_debian·2026·CVSS 6.9
CVE-2026-2950 [MEDIUM] CVE-2026-2950: node-lodash - Impact: Lodash versions 4.17.23 and earlier are vulnerable to prototype polluti...
Impact: Lodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the _.unset and _.omit functions. The fix for (CVE-2025-13465: https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg) only guards against string key members, so an attacker can bypass the check by passing array-wrapped path segments. This allows deletion of properties from built-in prototypes such as Object.prototype, Number.prototype, and String.prototype. The issue permits deletion of prototype properties but does not allow overwriting their original behavior. Patches: This issue is patched in 4.18.0. Workarounds: None. Upgrade to the patched version.
Scope: local
bookworm: open
bullseye: open
forky: resolved (fixed in 4.18.1+dfsg-1)
sid: resolved (fixed in 4.18.1+dfsg-1)
trixie: open
GHSA
lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit`
ghsa·2026-04-01·CVSS 6.9
CVE-2026-2950 [MEDIUM] CWE-1321 lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit`
lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit`
### Impact
Lodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the `_.unset` and `_.omit` functions. The fix for [CVE-2025-13465](https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg) only guards against string key members, so an attacker can bypass the check by passing array-wrapped path segments. This allows deletion of properties from built-in prototypes such as `Object.prototype`, `Number.prototype`, and `String.prototype`.
The issue permits deletion of prototype properties but does not allow overwriting their original behavior.
### Patches
This issue is patched in 4.18.0.
### Workarounds
None. Upgrade to the patched version.
OSV
lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit`
osv·2026-04-01·CVSS 6.9
CVE-2026-2950 [MEDIUM] lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit`
lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit`
### Impact
Lodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the `_.unset` and `_.omit` functions. The fix for [CVE-2025-13465](https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg) only guards against string key members, so an attacker can bypass the check by passing array-wrapped path segments. This allows deletion of properties from built-in prototypes such as `Object.prototype`, `Number.prototype`, and `String.prototype`.
The issue permits deletion of prototype properties but does not allow overwriting their original behavior.
### Patches
This issue is patched in 4.18.0.
### Workarounds
None. Upgrade to the patched version.
OSV
CVE-2026-2950: Impact: Lodash versions 4
osv·2026-03-31·CVSS 6.9
CVE-2026-2950 [MEDIUM] CVE-2026-2950: Impact: Lodash versions 4
Impact: Lodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the _.unset and _.omit functions. The fix for (CVE-2025-13465: https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg) only guards against string key members, so an attacker can bypass the check by passing array-wrapped path segments. This allows deletion of properties from built-in prototypes such as Object.prototype, Number.prototype, and String.prototype. The issue permits deletion of prototype properties but does not allow overwriting their original behavior. Patches: This issue is patched in 4.18.0. Workarounds: None. Upgrade to the patched version.
No detection rules found.
No public exploits indexed.
Wiz
CVE-2026-2950 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.9
CVE-2026-2950 [MEDIUM] CVE-2026-2950 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-2950 :
JavaScript vulnerability analysis and mitigation
Impact:
Lodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the _.unset and _.omit functions. The fix for (CVE-2025-13465: https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg ) only guards against string key members, so an attacker can bypass the check by passing array-wrapped path segments. This allows deletion of properties from built-in prototypes such as Object.prototype, Number.prototype, and String.prototype.
The issue permits deletion of prototype properties but does not allow overwriting their original behavior.
Patches:
This issue is patched in 4.18.0.
Workarounds:
None. Upgrade to the patched version.
Source : NVD
## 6.5
Score
Published March 31, 2026
S
Bugzilla
CVE-2026-43414 kernel: scsi: qla2xxx: Completely fix fcport double free
bugzilla·2026-05-08
CVE-2026-43414 [MEDIUM] CVE-2026-43414 kernel: scsi: qla2xxx: Completely fix fcport double free
CVE-2026-43414 kernel: scsi: qla2xxx: Completely fix fcport double free
In the Linux kernel, the following vulnerability has been resolved:
scsi: qla2xxx: Completely fix fcport double free
In qla24xx_els_dcmd_iocb() sp->free is set to qla2x00_els_dcmd_sp_free().
When an error happens, this function is called by qla2x00_sp_release(),
when kref_put() releases the first and the last reference.
qla2x00_els_dcmd_sp_free() frees fcport by calling qla2x00_free_fcport().
Doing it one more time after kref_put() is a bad idea.
Discussion:
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2026050844-CVE-2026-43414-2950@gregkh/T
Bugzilla
CVE-2026-2950 lodash: Lodash: Prototype pollution allows deletion of built-in prototype properties via array path bypass
bugzilla·2026-03-31·CVSS 6.9
CVE-2026-2950 [MEDIUM] CVE-2026-2950 lodash: Lodash: Prototype pollution allows deletion of built-in prototype properties via array path bypass
CVE-2026-2950 lodash: Lodash: Prototype pollution allows deletion of built-in prototype properties via array path bypass
Impact:
Lodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the _.unset and _.omit functions. The fix for (CVE-2025-13465: https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg) only guards against string key members, so an attacker can bypass the check by passing array-wrapped path segments. This allows deletion of properties from built-in prototypes such as Object.prototype, Number.prototype, and String.prototype.
The issue permits deletion of prototype properties but does not allow overwriting their original behavior.
Patches:
This issue is patched in 4.18.0.
Workarounds:
None. Upgrade to the patched version.
2026-03-31
Published