What is the CVSS score of CVE-2026-2950?

CVE-2026-2950 has a CVSS 3.1 base score of 6.5 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L. EPSS exploitation probability: 0.0%.

Is there a patch available for CVE-2026-2950?

Yes, a patch is available for CVE-2026-2950. Update the affected software to the latest version immediately.

Prototype Pollution CVE-2026-2950

EUVD-2026-17591 MEDIUM

Improperly Controlled Modification of Object Prototype Attributes (Prototype Pollution) (CWE-1321)

2026-03-31 openjs

GHSA-f23m-r3pf-42rh

Authentication Bypass Red Hat Prototype Pollution

6.5

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

Low

Lifecycle Timeline

Patch released

Apr 02, 2026 - 14:30 nvd

Patch available

EUVD ID Assigned

Mar 31, 2026 - 19:47 euvd

EUVD-2026-17591

Analysis Generated

Mar 31, 2026 - 19:47 vuln.today

CVE Published

Mar 31, 2026 - 19:18 nvd

MEDIUM 6.5

Blast Radius

ecosystem impact

† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth

28 npm packages depend on lodash (14 direct, 14 indirect)
67 npm packages depend on lodash-es (25 direct, 42 indirect)

Ecosystem-wide dependent count for version 4.18.0 and other introduced versions.

DescriptionNVD

Impact:

Lodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the _.unset and _.omit functions. The fix for (CVE-2025-13465: https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg) only guards against string key members, so an attacker can bypass the check by passing array-wrapped path segments. This allows deletion of properties from built-in prototypes such as Object.prototype, Number.prototype, and String.prototype.

The issue permits deletion of prototype properties but does not allow overwriting their original behavior.

Patches:

This issue is patched in 4.18.0.

Workarounds:

None. Upgrade to the patched version.

AnalysisAI

Prototype pollution in Lodash 4.17.23 and earlier allows unauthenticated remote attackers to delete properties from built-in prototypes (Object.prototype, Number.prototype, String.prototype) via array-wrapped path segments in _.unset and _.omit functions, bypassing the incomplete fix for CVE-2025-13465. The vulnerability has a CVSS score of 6.5 with low integrity and availability impact; no public exploit code or active exploitation has been confirmed at time of analysis.

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory