CVE-2026-2950PATCHED

Impact: Lodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the _.unset and _.omit functions. The fix for (CVE-2025-13465: https://github.com/lodash/lodash/security/advisorie

Description

Impact: Lodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the _.unset and _.omit functions. The fix for (CVE-2025-13465: https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg) only guards against string key members, so an attacker can bypass the check by passing array-wrapped path segments. This allows deletion of properties from built-in prototypes such as Object.prototype, Number.prototype, and String.prototype. The issue permits deletion of prototype properties but does not allow overwriting their original behavior. Patches: This issue is patched in 4.18.0. Workarounds: None. Upgrade to the patched version.

Affected Products

Vendor	Product	Versions
—	lodash	npm/lodash: <= 4.17.23, npm/lodash-es: <= 4.17.23, npm/lodash-amd: <= 4.17.23, npm/lodash.unset: >= 4.0.0, < 4.18.0

Also Affects

Downstream vendors/products affected by this vulnerability

Vendor	Product	Source	Confidence
npm	lodash-amd	GHSA	85%
npm	lodash.unset	GHSA	85%
npm	lodash-es	GHSA	85%

References

https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg

CVSS 3.16.5 MEDIUM

VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

CISA KEV❌ No

Actively exploited❌ No

Patch available

lodash@4.18.0lodash-es@4.18.0lodash-amd@4.18.0lodash.unset@4.18.0

CWECWE-1321

PublishedMar 31, 2026

Last enriched7h ago

Trending Score0

Source articles0

Independent0

Info Completeness5/14

Missing: vendor, product, versions, epss, kev, exploit, patch, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Pin to Dashboard

Verification

State: verified

Confidence: 100%

Vulnerability Timeline

CVE Published

Mar 31, 2026

Patch Available

Apr 1, 2026

Discovered by ZDM

Apr 1, 2026