Django REST framework

Vulnerability Instance

Lookup for vulnerabilities affecting packages.

Vulnerability_idVCID-hjed-8rnm-kkbk
Summary
lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit`
### Impact

Lodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the `_.unset` and `_.omit` functions. The fix for [CVE-2025-13465](https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg) only guards against string key members, so an attacker can bypass the check by passing array-wrapped path segments. This allows deletion of properties from built-in prototypes such as `Object.prototype`, `Number.prototype`, and `String.prototype`.

The issue permits deletion of prototype properties but does not allow overwriting their original behavior.

### Patches

This issue is patched in 4.18.0.

### Workarounds

None. Upgrade to the patched version.
Aliases
0
alias CVE-2026-2950
1
alias GHSA-f23m-r3pf-42rh
Fixed_packages
0
url pkg:deb/debian/node-lodash@4.18.1%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/node-lodash@4.18.1%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-lodash@4.18.1%252Bdfsg-1%3Fdistro=trixie
1
url pkg:deb/debian/node-lodash@4.18.1%2Bdfsg-2
purl pkg:deb/debian/node-lodash@4.18.1%2Bdfsg-2
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-lodash@4.18.1%252Bdfsg-2
2
url pkg:deb/debian/node-lodash@4.18.1%2Bdfsg-2?distro=trixie
purl pkg:deb/debian/node-lodash@4.18.1%2Bdfsg-2?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-lodash@4.18.1%252Bdfsg-2%3Fdistro=trixie
3
url pkg:deb/debian/node-lodash@4.18.1%2Bdfsg-3?distro=trixie
purl pkg:deb/debian/node-lodash@4.18.1%2Bdfsg-3?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-lodash@4.18.1%252Bdfsg-3%3Fdistro=trixie
4
url pkg:npm/lodash@4.18.0
purl pkg:npm/lodash@4.18.0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/lodash@4.18.0
5
url pkg:npm/lodash-amd@4.18.0
purl pkg:npm/lodash-amd@4.18.0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/lodash-amd@4.18.0
6
url pkg:npm/lodash-es@4.18.0
purl pkg:npm/lodash-es@4.18.0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/lodash-es@4.18.0
7
url pkg:npm/lodash.unset@4.18.0
purl pkg:npm/lodash.unset@4.18.0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/lodash.unset@4.18.0
Affected_packages
0
url pkg:deb/debian/node-lodash@4.17.21%2Bdfsg%2B~cs8.31.173-1?distro=trixie
purl pkg:deb/debian/node-lodash@4.17.21%2Bdfsg%2B~cs8.31.173-1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-an5j-y3cq-gbfx
1
vulnerability VCID-hjed-8rnm-kkbk
2
vulnerability VCID-jsc5-qvjm-6kek
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-lodash@4.17.21%252Bdfsg%252B~cs8.31.173-1%3Fdistro=trixie
1
url pkg:deb/debian/node-lodash@4.17.21%2Bdfsg%2B~cs8.31.173-1
purl pkg:deb/debian/node-lodash@4.17.21%2Bdfsg%2B~cs8.31.173-1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-an5j-y3cq-gbfx
1
vulnerability VCID-hjed-8rnm-kkbk
2
vulnerability VCID-jsc5-qvjm-6kek
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-lodash@4.17.21%252Bdfsg%252B~cs8.31.173-1
2
url pkg:deb/debian/node-lodash@4.17.21%2Bdfsg%2B~cs8.31.198.20210220-9?distro=trixie
purl pkg:deb/debian/node-lodash@4.17.21%2Bdfsg%2B~cs8.31.198.20210220-9?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-an5j-y3cq-gbfx
1
vulnerability VCID-hjed-8rnm-kkbk
2
vulnerability VCID-jsc5-qvjm-6kek
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-lodash@4.17.21%252Bdfsg%252B~cs8.31.198.20210220-9%3Fdistro=trixie
3
url pkg:deb/debian/node-lodash@4.17.21%2Bdfsg%2B~cs8.31.198.20210220-9
purl pkg:deb/debian/node-lodash@4.17.21%2Bdfsg%2B~cs8.31.198.20210220-9
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-an5j-y3cq-gbfx
1
vulnerability VCID-hjed-8rnm-kkbk
2
vulnerability VCID-jsc5-qvjm-6kek
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-lodash@4.17.21%252Bdfsg%252B~cs8.31.198.20210220-9
4
url pkg:deb/debian/node-lodash@4.17.23%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/node-lodash@4.17.23%2Bdfsg-1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-an5j-y3cq-gbfx
1
vulnerability VCID-hjed-8rnm-kkbk
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-lodash@4.17.23%252Bdfsg-1%3Fdistro=trixie
5
url pkg:deb/debian/node-lodash@4.17.23%2Bdfsg-1
purl pkg:deb/debian/node-lodash@4.17.23%2Bdfsg-1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-an5j-y3cq-gbfx
1
vulnerability VCID-hjed-8rnm-kkbk
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-lodash@4.17.23%252Bdfsg-1
6
url pkg:npm/lodash@4.17.23
purl pkg:npm/lodash@4.17.23
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-an5j-y3cq-gbfx
1
vulnerability VCID-hjed-8rnm-kkbk
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/lodash@4.17.23
7
url pkg:npm/lodash-amd@4.17.23
purl pkg:npm/lodash-amd@4.17.23
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-an5j-y3cq-gbfx
1
vulnerability VCID-hjed-8rnm-kkbk
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/lodash-amd@4.17.23
8
url pkg:npm/lodash-es@4.17.23
purl pkg:npm/lodash-es@4.17.23
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-an5j-y3cq-gbfx
1
vulnerability VCID-hjed-8rnm-kkbk
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/lodash-es@4.17.23
9
url pkg:npm/lodash.unset@4.0.0
purl pkg:npm/lodash.unset@4.0.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-hjed-8rnm-kkbk
1
vulnerability VCID-jsc5-qvjm-6kek
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/lodash.unset@4.0.0
References
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-2950.json
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-2950.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-2950
reference_id
reference_type
scores
0
value 0.00023
scoring_system epss
scoring_elements 0.06255
published_at 2026-04-21T12:55:00Z
1
value 0.00042
scoring_system epss
scoring_elements 0.12856
published_at 2026-04-02T12:55:00Z
2
value 0.00042
scoring_system epss
scoring_elements 0.12908
published_at 2026-04-04T12:55:00Z
3
value 0.00055
scoring_system epss
scoring_elements 0.17215
published_at 2026-04-07T12:55:00Z
4
value 0.00071
scoring_system epss
scoring_elements 0.21728
published_at 2026-04-13T12:55:00Z
5
value 0.00071
scoring_system epss
scoring_elements 0.21734
published_at 2026-04-18T12:55:00Z
6
value 0.00071
scoring_system epss
scoring_elements 0.21727
published_at 2026-04-16T12:55:00Z
7
value 0.00071
scoring_system epss
scoring_elements 0.21756
published_at 2026-04-08T12:55:00Z
8
value 0.00071
scoring_system epss
scoring_elements 0.21814
published_at 2026-04-09T12:55:00Z
9
value 0.00071
scoring_system epss
scoring_elements 0.21824
published_at 2026-04-11T12:55:00Z
10
value 0.00071
scoring_system epss
scoring_elements 0.21785
published_at 2026-04-12T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-2950
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-2950
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-2950
3
reference_url https://github.com/lodash/lodash
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/lodash/lodash
4
reference_url https://github.com/lodash/lodash/security/advisories/GHSA-f23m-r3pf-42rh
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/lodash/lodash/security/advisories/GHSA-f23m-r3pf-42rh
5
reference_url https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-01T13:43:14Z/
url https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-2950
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-2950
7
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2453499
reference_id 2453499
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2453499
8
reference_url https://github.com/advisories/GHSA-f23m-r3pf-42rh
reference_id GHSA-f23m-r3pf-42rh
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-f23m-r3pf-42rh
Weaknesses
0
cwe_id 1321
name Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
description The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.
1
cwe_id 915
name Improperly Controlled Modification of Dynamically-Determined Object Attributes
description The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified.
Exploits
Severity_range_score4.0 - 6.9
Exploitability0.5
Weighted_severity6.2
Risk_score3.1
Resource_urlhttp://public2.vulnerablecode.io/vulnerabilities/VCID-hjed-8rnm-kkbk