CVE-2026-2950

Description

Impact: Lodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the _.unset and _.omit functions. The fix for (CVE-2025-13465: https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg) only guards against string key members, so an attacker can bypass the check by passing array-wrapped path segments. This allows deletion of properties from built-in prototypes such as Object.prototype, Number.prototype, and String.prototype. The issue permits deletion of prototype properties but does not allow overwriting their original behavior. Patches: This issue is patched in 4.18.0. Workarounds: None. Upgrade to the patched version.

How to fix CVE-2026-2950

To remediate CVE-2026-2950, upgrade the affected package to a fixed version below.

• —no fix listed
• —upgrade to 4.18.0 or later
• —upgrade to 4.18.0 or later
• —upgrade to 4.18.0 or later
• —upgrade to 4.18.0 or later

Is CVE-2026-2950 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (5)

• from 0
• from 0, < 4.18.0
• from 0, < 4.18.0
• from 0, < 4.18.0
• >= 4.0.0, < 4.18.0

CVSS scores

References (5)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-2950
• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2026-2950
• PATCHgithub.com/lodash/lodash
• WEBgithub.com/lodash/lodash/security/advisories/GHSA-f23m-r3pf-42rh
• WEB