{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-2950", "assignerOrgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "state": "PUBLISHED", "assignerShortName": "openjs", "dateReserved": "2026-02-21T20:04:35.087Z", "datePublished": "2026-03-31T19:18:35.796Z", "dateUpdated": "2026-04-01T13:43:21.491Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "shortName": "openjs", "dateUpdated": "2026-03-31T19:18:35.796Z"}, "descriptions": [{"lang": "en", "value": "Impact:\n\nLodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the _.unset and _.omit functions. The fix for (CVE-2025-13465: https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg) only guards against string key members, so an attacker can bypass the check by passing array-wrapped path segments. This allows deletion of properties from built-in prototypes such as Object.prototype, Number.prototype, and String.prototype.\n\nThe issue permits deletion of prototype properties but does not allow overwriting their original behavior.\n\nPatches:\n\nThis issue is patched in 4.18.0.\n\nWorkarounds:\n\nNone. Upgrade to the patched version.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Impact:\n\nLodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the _.unset and _.omit functions. The fix for (CVE-2025-13465: https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg) only guards against string key members, so an attacker can bypass the check by passing array-wrapped path segments. This allows deletion of properties from built-in prototypes such as Object.prototype, Number.prototype, and String.prototype.\n\nThe issue permits deletion of prototype properties but does not allow overwriting their original behavior.\n\nPatches:\n\nThis issue is patched in 4.18.0.\n\nWorkarounds:\n\nNone. Upgrade to the patched version."}]}], "affected": [{"vendor": "lodash", "product": "lodash", "defaultStatus": "unaffected", "versions": [{"versionType": "semver", "status": "affected", "version": "4.17.23", "lessThan": "4.18.0"}, {"versionType": "semver", "status": "unaffected", "version": "4.18.0"}], "packageURL": "pkg:npm/lodash"}, {"vendor": "lodash", "product": "lodash-es", "defaultStatus": "unaffected", "versions": [{"versionType": "semver", "status": "affected", "version": "4.17.23", "lessThan": "4.18.0"}, {"versionType": "semver", "status": "unaffected", "version": "4.18.0"}], "packageURL": "pkg:npm/lodash-es"}, {"vendor": "lodash", "product": "lodash-amd", "defaultStatus": "unaffected", "versions": [{"versionType": "semver", "status": "affected", "version": "4.17.23", "lessThan": "4.18.0"}, {"versionType": "semver", "status": "unaffected", "version": "4.18.0"}], "packageURL": "pkg:npm/lodash-amd"}, {"vendor": "lodash", "product": "lodash.unset", "defaultStatus": "unaffected", "versions": [{"versionType": "semver", "status": "affected", "version": "4.0.0", "lessThan": "4.18.0"}, {"versionType": "semver", "status": "unaffected", "version": "4.18.0"}], "packageURL": "pkg:npm/lodash.unset"}], "references": [{"url": "https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg"}], "credits": [{"lang": "en", "type": "reporter", "value": "Haruna38"}, {"lang": "en", "type": "finder", "value": "shpik-kr"}, {"lang": "en", "type": "finder", "value": "maru1009"}, {"lang": "en", "type": "finder", "value": "ott3r07"}, {"lang": "en", "type": "finder", "value": "zolbooo"}, {"lang": "en", "type": "finder", "value": "backuardo"}, {"lang": "en", "type": "remediation developer", "value": "falsyvalues"}, {"lang": "en", "type": "remediation developer", "value": "jonchurch"}, {"lang": "en", "type": "analyst", "value": "jdalton"}, {"lang": "en", "type": "remediation reviewer", "value": "UlisesGascon"}], "title": "lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit`", "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", "baseScore": 6.5, "baseSeverity": "MEDIUM"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-1321", "lang": "en", "description": "CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')", "type": "CWE"}]}], "x_generator": {"engine": "cve-kit 1.0.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-01T13:43:14.280375Z", "id": "CVE-2026-2950", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-01T13:43:21.491Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-2950", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-01T13:43:14.280375Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-01T13:43:18.193Z"}}], "cna": {"title": "lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit`", "credits": [{"lang": "en", "type": "reporter", "value": "Haruna38"}, {"lang": "en", "type": "finder", "value": "shpik-kr"}, {"lang": "en", "type": "finder", "value": "maru1009"}, {"lang": "en", "type": "finder", "value": "ott3r07"}, {"lang": "en", "type": "finder", "value": "zolbooo"}, {"lang": "en", "type": "finder", "value": "backuardo"}, {"lang": "en", "type": "remediation developer", "value": "falsyvalues"}, {"lang": "en", "type": "remediation developer", "value": "jonchurch"}, {"lang": "en", "type": "analyst", "value": "jdalton"}, {"lang": "en", "type": "remediation reviewer", "value": "UlisesGascon"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "baseScore": 6.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "lodash", "product": "lodash", "versions": [{"status": "affected", "version": "4.17.23", "lessThan": "4.18.0", "versionType": "semver"}, {"status": "unaffected", "version": "4.18.0", "versionType": "semver"}], "packageURL": "pkg:npm/lodash", "defaultStatus": "unaffected"}, {"vendor": "lodash", "product": "lodash-es", "versions": [{"status": "affected", "version": "4.17.23", "lessThan": "4.18.0", "versionType": "semver"}, {"status": "unaffected", "version": "4.18.0", "versionType": "semver"}], "packageURL": "pkg:npm/lodash-es", "defaultStatus": "unaffected"}, {"vendor": "lodash", "product": "lodash-amd", "versions": [{"status": "affected", "version": "4.17.23", "lessThan": "4.18.0", "versionType": "semver"}, {"status": "unaffected", "version": "4.18.0", "versionType": "semver"}], "packageURL": "pkg:npm/lodash-amd", "defaultStatus": "unaffected"}, {"vendor": "lodash", "product": "lodash.unset", "versions": [{"status": "affected", "version": "4.0.0", "lessThan": "4.18.0", "versionType": "semver"}, {"status": "unaffected", "version": "4.18.0", "versionType": "semver"}], "packageURL": "pkg:npm/lodash.unset", "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg"}], "x_generator": {"engine": "cve-kit 1.0.0"}, "descriptions": [{"lang": "en", "value": "Impact:\n\nLodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the _.unset and _.omit functions. The fix for (CVE-2025-13465: https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg) only guards against string key members, so an attacker can bypass the check by passing array-wrapped path segments. This allows deletion of properties from built-in prototypes such as Object.prototype, Number.prototype, and String.prototype.\n\nThe issue permits deletion of prototype properties but does not allow overwriting their original behavior.\n\nPatches:\n\nThis issue is patched in 4.18.0.\n\nWorkarounds:\n\nNone. Upgrade to the patched version.", "supportingMedia": [{"type": "text/html", "value": "Impact:\n\nLodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the _.unset and _.omit functions. The fix for (CVE-2025-13465: https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg) only guards against string key members, so an attacker can bypass the check by passing array-wrapped path segments. This allows deletion of properties from built-in prototypes such as Object.prototype, Number.prototype, and String.prototype.\n\nThe issue permits deletion of prototype properties but does not allow overwriting their original behavior.\n\nPatches:\n\nThis issue is patched in 4.18.0.\n\nWorkarounds:\n\nNone. Upgrade to the patched version.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1321", "description": "CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')"}]}], "providerMetadata": {"orgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "shortName": "openjs", "dateUpdated": "2026-03-31T19:18:35.796Z"}}}, "cveMetadata": {"cveId": "CVE-2026-2950", "state": "PUBLISHED", "dateUpdated": "2026-04-01T13:43:21.491Z", "dateReserved": "2026-02-21T20:04:35.087Z", "assignerOrgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "datePublished": "2026-03-31T19:18:35.796Z", "assignerShortName": "openjs"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Impact:\n\nLodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the _.unset and _.omit functions. The fix for (CVE-2025-13465: https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg) only guards against string key members, so an attacker can bypass the check by passing array-wrapped path segments. This allows deletion of properties from built-in prototypes such as Object.prototype, Number.prototype, and String.prototype.\n\nThe issue permits deletion of prototype properties but does not allow overwriting their original behavior.\n\nPatches:\n\nThis issue is patched in 4.18.0.\n\nWorkarounds:\n\nNone. Upgrade to the patched version."}], "id": "CVE-2026-2950", "lastModified": "2026-04-01T14:23:37.727", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "ce714d77-add3-4f53-aff5-83d477b104bb", "type": "Secondary"}]}, "published": "2026-03-31T20:16:26.207", "references": [{"source": "ce714d77-add3-4f53-aff5-83d477b104bb", "url": "https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg"}], "sourceIdentifier": "ce714d77-add3-4f53-aff5-83d477b104bb", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1321"}], "source": "ce714d77-add3-4f53-aff5-83d477b104bb", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-01T05:36:10.331433+00:00", "value": {"mitigation_remediation": ["Upgrade lodash to version 4.18.0 or later"], "summary": {"action": "Patch Now", "impact": "Prototype Pollution and Property Deletion"}, "threat_synthesis": {"affected_systems": "The affected products are lodash (including lodash:lodash-amd, lodash:lodash-es, and lodash:lodash.unset). The issue applies to all releases up to and including version 4.17.23; no version numbers beyond 4.17.23 are affected.", "description_and_impact": "Lodash versions up to 4.17.23 are vulnerable to prototype pollution in the _.unset and _.omit functions because the guard against string key members is bypassed when an attacker supplies array\u2011wrapped path segments. This bypass allows an attacker to delete properties from built\u2011in prototypes such as Object.prototype, Number.prototype, and String.prototype. The deletion of these prototype properties can potentially undermine the assumptions of numerous libraries and application logic, though it does not overwrite their original behavior. The impact manifests as a violation of the integrity of the JavaScript engine\u2019s prototype chain, which could lead to subtle or hard\u2011to\u2011detect failures in code that relies on these prototypes.", "risk_and_exploitability": "The CVSS score is 6.5, indicating moderate severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, reducing its likelihood of being seen in large\u2011scale exploitation campaigns. The attack vector is inferred to be directly from application code that processes untrusted input with _.unset or _.omit, requiring the attacker to craft an array\u2011wrapped path segment. Based on the description, it is likely that any code that relies on lodash\u2019s unset or omit functionality is at risk if the input is not trusted."}}}}, "created": "2026-04-02T07:53:12.818067+00:00", "updated": "2026-04-02T07:53:12.818108+00:00", "vendors": []}