{"data":{"id":"b7695939-e8f5-483b-86f1-15090ffa9cae","title":"GHSA-f23m-r3pf-42rh: lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit`","summary":"Lodash versions 4.17.23 and earlier have a vulnerability in the `_.unset` and `_.omit` functions that allows prototype pollution (modifying built-in object templates like Object.prototype that affect all objects). An attacker can bypass the previous security fix by using array-wrapped path segments to delete properties from these core prototypes, though they cannot change how those prototypes work.","solution":"Upgrade to Lodash version 4.18.0 or later. The source states: 'This issue is patched in 4.18.0.'","labels":["security"],"sourceUrl":"https://github.com/advisories/GHSA-f23m-r3pf-42rh","publishedAt":"2026-04-01T23:50:27.000Z","cveId":"CVE-2026-2950","cweIds":null,"cvssScore":null,"cvssSeverity":"medium","severity":"medium","attackType":["model_poisoning"],"issueType":"vulnerability","affectedPackages":["lodash.unset@>= 4.0.0, < 4.18.0 (fixed: 4.18.0)","lodash-amd@<= 4.17.23 (fixed: 4.18.0)","lodash-es@<= 4.17.23 (fixed: 4.18.0)","lodash@<= 4.17.23 (fixed: 4.18.0)"],"affectedVendors":[],"affectedVendorsRaw":[],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0.00042,"patchAvailable":true,"disclosureDate":"2026-04-01T23:50:27.000Z","capecIds":null,"crossRefCount":0,"attackSophistication":"moderate","impactType":["integrity"],"aiComponentTargeted":"framework","llmSpecific":false,"classifierConfidence":0.75,"researchCategory":null,"atlasIds":null}}