Prototype Pollution Vulnerability in Lodash by Lodash
CVE-2026-2950

6.5MEDIUM

Key Information:

Vendor: Lodash
Status: Lodash; Lodash-es; Lodash-amd; Lodash.unset
Vendor: CVE Published:; 31 March 2026

What is CVE-2026-2950?

Lodash versions up to 4.17.23 are susceptible to a prototype pollution vulnerability in the _.unset and _.omit functions. An attacker can exploit this flaw by utilizing array-wrapped path segments, allowing for the deletion of properties from JavaScript's built-in prototypes like Object.prototype, Number.prototype, and String.prototype. While the vulnerability facilitates the removal of prototype properties, it does not permit modification of their original functionality. Users are urged to upgrade to Lodash version 4.18.0 or later to mitigate the issue, as no workarounds are available. For more details, refer to the security advisory.

Affected Version(s)

lodash 4.17.23 < 4.18.0

lodash-amd 4.17.23 < 4.18.0

lodash-es 4.17.23 < 4.18.0

References

https://github.com/lodash/lodash/security/advisories/GHSA...

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 31, 2026
Vulnerability Reserved
Feb 21, 2026

Credit

Haruna38

shpik-kr

maru1009

ott3r07

zolbooo

backuardo

falsyvalues

jonchurch

jdalton

UlisesGascon

CVE-2026-2950 Data

JSON