CVE-2026-2950

CVSS v3.1

6.5

Medium

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

Name of the Vulnerable Software and Affected Versions Lodash versions prior to 4.18.0

Description Lodash versions 4.17.23 and earlier are susceptible to prototype pollution through the .unset and .omit functions. The initial fix did not fully address the issue, as an attacker can bypass the check by using array-wrapped path segments. This allows for the deletion of properties from built-in prototypes like Object.prototype, Number.prototype, and String.prototype. The issue allows deletion of prototype properties but does not permit overwriting their original behavior.

Recommendations Upgrade to version 4.18.0 or later.

Fix

Prototype Pollution

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-1321

Related Identifiers

CLEANSTART-2026-AD27625

CLEANSTART-2026-BE61221

CLEANSTART-2026-CE10526

CLEANSTART-2026-KS09647

CLEANSTART-2026-LC05413

CLEANSTART-2026-NB51079

CLEANSTART-2026-TW25027

CLEANSTART-2026-TZ34913

CVE-2026-2950

GHSA-F23M-R3PF-42RH

RHSA-2026:7378

RHSA-2026:7655

RHSA-2026:9455

Affected Products

Lodash

CVE-2026-2950

Weakness Enumeration

Related Identifiers

Affected Products

References · 332