CVE-2026-2950 — MEDIUM (6.5)

Vulnerability Description

Impact: Lodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the _.unset and _.omit functions. The fix for (CVE-2025-13465: https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg) only guards against string key members, so an attacker can bypass the check by passing array-wrapped path segments. This allows deletion of properties from built-in prototypes such as Object.prototype, Number.prototype, and String.prototype. The issue permits deletion of prototype properties but does not allow overwriting their original behavior. Patches: This issue is patched in 4.18.0. Workarounds: None. Upgrade to the patched version.

CVSS Score

6.5

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

LOW

Availability

LOW

Affected Products

Vendor	Product	Versions
Lodash	Lodash	>= 4.0.0, < 4.17.23
Lodash	Lodash-Amd	>= 4.0.0, < 4.17.23
Lodash	Lodash-Es	>= 4.0.0, < 4.17.23
Lodash	Lodash.Unset	>= 4.0.0

Related Weaknesses (CWE)

CWE-1321

References

https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpgVendor Advisory

FAQ

What is CVE-2026-2950?

CVE-2026-2950 is a vulnerability with a CVSS score of 6.5 (MEDIUM). Impact: Lodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the _.unset and _.omit functions. The fix for (CVE-2025-13465: https://github.com/lodash/lodash/security/advisorie...

How severe is CVE-2026-2950?

CVE-2026-2950 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2026-2950?

Check the references section above for vendor advisories and patch information. Affected products include: Lodash Lodash, Lodash Lodash-Amd, Lodash Lodash-Es, Lodash Lodash.Unset.