CVE-2026-2950

Summary

lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit`

Severity

medium

EPSS

0.3% (p21)

Also known as

GHSA-f23m-r3pf-42rh#lodash, GHSA-f23m-r3pf-42rh#lodash-amd, GHSA-f23m-r3pf-42rh#lodash-es, GHSA-f23m-r3pf-42rh#lodash.unset

Published

2026-04-01

References

• https://github.com/lodash/lodash/security/advisories/GHSA-f23m-r3pf-42rh
• https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg
• https://nvd.nist.gov/vuln/detail/CVE-2026-2950

Related advisories

• CVE-2019-10744 — critical · npm/lodash
• CVE-2026-4800 — high · npm/lodash

Is your project exposed to this? Stateward checks every dependency on every pull request and flags it only if your code actually reaches it.

Summarize with AI

ChatGPTClaudePerplexity