CVE-2026-2950

Description

Impact:Lodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the _.unset and _.omit functions. The fix for (CVE-2025-13465: https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg) only guards against string key members, so an attacker can bypass the check by passing array-wrapped path segments. This allows deletion of properties from built-in prototypes such as Object.prototype, Number.prototype, and String.prototype.The issue permits deletion of prototype properties but does not allow overwriting their original behavior.Patches:This issue is patched in 4.18.0.Workarounds:None. Upgrade to the patched version.

Risk Information

Base Score

5.3

MODERATE

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

EPSS Score

Exploitation Probability

0.071

Associated Vulnerability

Vulnerability	OS Platform
Multiple Vulnerabilities are affected in IBM Aspera Faspex 5.0.15	Windows
Multiple Vulnerabilities are affected in IBM App Connect Enterprise 12.0.12.24	Windows
Multiple Vulnerabilities are affected in IBM App Connect Enterprise 13.0.7.0	Windows

Patch Details

No records found

References

https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234