What is CVE-2026-2950?

CVE-2026-2950 is a medium-severity vulnerability in Lodash, classified under Improperly Controlled Modification of Object Prototype Attributes (Prototype Pollution). CVSS score: 6.5/10. Published 2026-03-31.

How severe is CVE-2026-2950?

Medium severity. CVSS v3 base score is 6.5 out of 10.

Prototype Pollution in Lodash

CVE-2026-2950

Impact: Lodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the _.unset and _.omit functions. The fix for (CVE-2025-13465: https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg) only guards agai…

Vulnerability class: Prototype Pollution

EPSS: 0.000 (7.5th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 6.5 (Medium). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L.

Affected products

Lodash — versions 4.17.23, 4.18.0
Lodash Lodash-amd — versions 4.17.23, 4.18.0
Lodash Lodash-es — versions 4.17.23, 4.18.0
Lodash Lodash.unset — versions 4.0.0, 4.18.0

Weakness classification (CWE)

CWE-1321 — Improperly Controlled Modification of Object Prototype Attributes (Prototype Pollution)

References

github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg

Frequently asked questions

What is CVE-2026-2950?: CVE-2026-2950 is a medium-severity vulnerability in Lodash, classified under Improperly Controlled Modification of Object Prototype Attributes (Prototype Pollution). CVSS score: 6.5/10. Published 2026-03-31.
How severe is CVE-2026-2950?: Medium severity. CVSS v3 base score is 6.5 out of 10.