Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:npm/lodash@4.17.5

Type npm

Namespace

Name lodash

Version 4.17.5

Qualifiers

Subpath

Is_vulnerable true

Next_non_vulnerable_version 4.18.0

Latest_non_vulnerable_version 4.18.0

Affected_by_vulnerabilities

url VCID-4up5-csax-tuax

vulnerability_id VCID-4up5-csax-tuax

summary

Lodash has Prototype Pollution Vulnerability in `_.unset` and `_.omit` functions
Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the `_.unset` and `_.omit` functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes.

The issue permits deletion of properties but does not allow overwriting their original behavior.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-13465.json

reference_id

reference_type

scores

value	8.2
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-13465.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2025-13465

reference_id

reference_type

scores

value	0.00028
scoring_system	epss
scoring_elements	0.08267
published_at	2026-06-08T12:55:00Z

value	0.00028
scoring_system	epss
scoring_elements	0.08327
published_at	2026-06-05T12:55:00Z

value	0.00028
scoring_system	epss
scoring_elements	0.08339
published_at	2026-06-06T12:55:00Z

value	0.00028
scoring_system	epss
scoring_elements	0.08321
published_at	2026-06-07T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2025-13465

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-13465
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-13465

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	8.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

https://github.com/lodash/lodash

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:H/SI:H/SA:H/E:P

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/lodash/lodash

reference_url

https://github.com/lodash/lodash/commit/edadd452146f7e4bad4ea684e955708931d84d81

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:H/SI:H/SA:H/E:P

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/lodash/lodash/commit/edadd452146f7e4bad4ea684e955708931d84d81

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1126265
reference_id	1126265
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1126265

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2431740
reference_id	2431740
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2431740

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2025-13465

reference_id

CVE-2025-13465

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:H/SI:H/SA:H/E:P

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2025-13465

reference_url

https://github.com/advisories/GHSA-xxjr-mmjv-4gpg

reference_id

GHSA-xxjr-mmjv-4gpg

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-xxjr-mmjv-4gpg

reference_url

https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg

reference_id

GHSA-xxjr-mmjv-4gpg

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:H/SI:H/SA:H/E:P

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-01-21T19:43:10Z/

url

https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg

reference_url	https://access.redhat.com/errata/RHSA-2026:11414
reference_id	RHSA-2026:11414
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:11414

reference_url	https://access.redhat.com/errata/RHSA-2026:13542
reference_id	RHSA-2026:13542
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:13542

reference_url	https://access.redhat.com/errata/RHSA-2026:13548
reference_id	RHSA-2026:13548
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:13548

reference_url	https://access.redhat.com/errata/RHSA-2026:13829
reference_id	RHSA-2026:13829
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:13829

reference_url	https://access.redhat.com/errata/RHSA-2026:14774
reference_id	RHSA-2026:14774
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:14774

reference_url	https://access.redhat.com/errata/RHSA-2026:14870
reference_id	RHSA-2026:14870
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:14870

reference_url	https://access.redhat.com/errata/RHSA-2026:14871
reference_id	RHSA-2026:14871
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:14871

reference_url	https://access.redhat.com/errata/RHSA-2026:15091
reference_id	RHSA-2026:15091
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:15091

reference_url	https://access.redhat.com/errata/RHSA-2026:17469
reference_id	RHSA-2026:17469
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:17469

reference_url	https://access.redhat.com/errata/RHSA-2026:1845
reference_id	RHSA-2026:1845
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:1845

reference_url	https://access.redhat.com/errata/RHSA-2026:18480
reference_id	RHSA-2026:18480
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:18480

reference_url	https://access.redhat.com/errata/RHSA-2026:18868
reference_id	RHSA-2026:18868
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:18868

reference_url	https://access.redhat.com/errata/RHSA-2026:19712
reference_id	RHSA-2026:19712
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:19712

reference_url	https://access.redhat.com/errata/RHSA-2026:20042
reference_id	RHSA-2026:20042
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:20042

reference_url	https://access.redhat.com/errata/RHSA-2026:20088
reference_id	RHSA-2026:20088
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:20088

reference_url	https://access.redhat.com/errata/RHSA-2026:2078
reference_id	RHSA-2026:2078
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:2078

reference_url	https://access.redhat.com/errata/RHSA-2026:2119
reference_id	RHSA-2026:2119
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:2119

reference_url	https://access.redhat.com/errata/RHSA-2026:2145
reference_id	RHSA-2026:2145
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:2145

reference_url	https://access.redhat.com/errata/RHSA-2026:2147
reference_id	RHSA-2026:2147
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:2147

reference_url	https://access.redhat.com/errata/RHSA-2026:2148
reference_id	RHSA-2026:2148
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:2148

reference_url	https://access.redhat.com/errata/RHSA-2026:2149
reference_id	RHSA-2026:2149
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:2149

reference_url	https://access.redhat.com/errata/RHSA-2026:21658
reference_id	RHSA-2026:21658
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:21658

reference_url	https://access.redhat.com/errata/RHSA-2026:24331
reference_id	RHSA-2026:24331
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:24331

reference_url	https://access.redhat.com/errata/RHSA-2026:2438
reference_id	RHSA-2026:2438
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:2438

reference_url	https://access.redhat.com/errata/RHSA-2026:2452
reference_id	RHSA-2026:2452
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:2452

reference_url	https://access.redhat.com/errata/RHSA-2026:2462
reference_id	RHSA-2026:2462
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:2462

reference_url	https://access.redhat.com/errata/RHSA-2026:2465
reference_id	RHSA-2026:2465
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:2465

reference_url	https://access.redhat.com/errata/RHSA-2026:2469
reference_id	RHSA-2026:2469
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:2469

reference_url	https://access.redhat.com/errata/RHSA-2026:2484
reference_id	RHSA-2026:2484
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:2484

reference_url	https://access.redhat.com/errata/RHSA-2026:2651
reference_id	RHSA-2026:2651
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:2651

reference_url	https://access.redhat.com/errata/RHSA-2026:2661
reference_id	RHSA-2026:2661
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:2661

reference_url	https://access.redhat.com/errata/RHSA-2026:2672
reference_id	RHSA-2026:2672
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:2672

reference_url	https://access.redhat.com/errata/RHSA-2026:2675
reference_id	RHSA-2026:2675
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:2675

reference_url	https://access.redhat.com/errata/RHSA-2026:2694
reference_id	RHSA-2026:2694
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:2694

reference_url	https://access.redhat.com/errata/RHSA-2026:2816
reference_id	RHSA-2026:2816
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:2816

reference_url	https://access.redhat.com/errata/RHSA-2026:2817
reference_id	RHSA-2026:2817
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:2817

reference_url	https://access.redhat.com/errata/RHSA-2026:2818
reference_id	RHSA-2026:2818
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:2818

reference_url	https://access.redhat.com/errata/RHSA-2026:2819
reference_id	RHSA-2026:2819
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:2819

reference_url	https://access.redhat.com/errata/RHSA-2026:2900
reference_id	RHSA-2026:2900
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:2900

reference_url	https://access.redhat.com/errata/RHSA-2026:2926
reference_id	RHSA-2026:2926
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:2926

reference_url	https://access.redhat.com/errata/RHSA-2026:2984
reference_id	RHSA-2026:2984
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:2984

reference_url	https://access.redhat.com/errata/RHSA-2026:2990
reference_id	RHSA-2026:2990
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:2990

reference_url	https://access.redhat.com/errata/RHSA-2026:3087
reference_id	RHSA-2026:3087
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:3087

reference_url	https://access.redhat.com/errata/RHSA-2026:3422
reference_id	RHSA-2026:3422
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:3422

reference_url	https://access.redhat.com/errata/RHSA-2026:3710
reference_id	RHSA-2026:3710
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:3710

reference_url	https://access.redhat.com/errata/RHSA-2026:3712
reference_id	RHSA-2026:3712
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:3712

reference_url	https://access.redhat.com/errata/RHSA-2026:3782
reference_id	RHSA-2026:3782
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:3782

reference_url	https://access.redhat.com/errata/RHSA-2026:3825
reference_id	RHSA-2026:3825
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:3825

reference_url	https://access.redhat.com/errata/RHSA-2026:3869
reference_id	RHSA-2026:3869
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:3869

reference_url	https://access.redhat.com/errata/RHSA-2026:3870
reference_id	RHSA-2026:3870
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:3870

reference_url	https://access.redhat.com/errata/RHSA-2026:3874
reference_id	RHSA-2026:3874
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:3874

reference_url	https://access.redhat.com/errata/RHSA-2026:3884
reference_id	RHSA-2026:3884
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:3884

reference_url	https://access.redhat.com/errata/RHSA-2026:3958
reference_id	RHSA-2026:3958
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:3958

reference_url	https://access.redhat.com/errata/RHSA-2026:3960
reference_id	RHSA-2026:3960
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:3960

reference_url	https://access.redhat.com/errata/RHSA-2026:3962
reference_id	RHSA-2026:3962
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:3962

reference_url	https://access.redhat.com/errata/RHSA-2026:4423
reference_id	RHSA-2026:4423
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:4423

reference_url	https://access.redhat.com/errata/RHSA-2026:4466
reference_id	RHSA-2026:4466
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:4466

reference_url	https://access.redhat.com/errata/RHSA-2026:4467
reference_id	RHSA-2026:4467
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:4467

reference_url	https://access.redhat.com/errata/RHSA-2026:4630
reference_id	RHSA-2026:4630
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:4630

reference_url	https://access.redhat.com/errata/RHSA-2026:4782
reference_id	RHSA-2026:4782
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:4782

reference_url	https://access.redhat.com/errata/RHSA-2026:5633
reference_id	RHSA-2026:5633
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:5633

reference_url	https://access.redhat.com/errata/RHSA-2026:5636
reference_id	RHSA-2026:5636
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:5636

reference_url	https://access.redhat.com/errata/RHSA-2026:6192
reference_id	RHSA-2026:6192
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:6192

reference_url	https://access.redhat.com/errata/RHSA-2026:6288
reference_id	RHSA-2026:6288
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:6288

reference_url	https://access.redhat.com/errata/RHSA-2026:6497
reference_id	RHSA-2026:6497
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:6497

reference_url	https://access.redhat.com/errata/RHSA-2026:6567
reference_id	RHSA-2026:6567
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:6567

reference_url	https://access.redhat.com/errata/RHSA-2026:8218
reference_id	RHSA-2026:8218
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:8218

reference_url	https://access.redhat.com/errata/RHSA-2026:8229
reference_id	RHSA-2026:8229
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:8229

reference_url	https://access.redhat.com/errata/RHSA-2026:9848
reference_id	RHSA-2026:9848
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:9848

fixed_packages

url pkg:npm/lodash@4.17.23

purl pkg:npm/lodash@4.17.23

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-hm3y-cuw8-vfhe

vulnerability	VCID-xn8k-qveu-afck

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/lodash@4.17.23

aliases CVE-2025-13465, GHSA-xxjr-mmjv-4gpg

risk_score 3.7

exploitability 0.5

weighted_severity 7.4

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-4up5-csax-tuax

url VCID-aaeg-a8tc-dyd2

vulnerability_id VCID-aaeg-a8tc-dyd2

summary

Command Injection in lodash
lodash versions prior to 4.17.21 are vulnerable to
Command Injection via the template function.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-23337.json

reference_id

reference_type

scores

value	7.2
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-23337.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2021-23337

reference_id

reference_type

scores

value	0.04314
scoring_system	epss
scoring_elements	0.89098
published_at	2026-06-08T12:55:00Z

value	0.04314
scoring_system	epss
scoring_elements	0.89097
published_at	2026-06-05T12:55:00Z

value	0.04314
scoring_system	epss
scoring_elements	0.8908
published_at	2026-06-04T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2021-23337

reference_url

https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf

reference_id

reference_type

scores

value	7.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23337
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23337

reference_url

https://github.com/advisories/GHSA-35jh-r3h4-6jhm

reference_id

reference_type

scores

value	7.2
scoring_system	cvssv3
scoring_elements

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-35jh-r3h4-6jhm

reference_url

https://github.com/lodash/lodash

reference_id

reference_type

scores

value	7.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/lodash/lodash

reference_url

https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js#L14851

reference_id

reference_type

scores

value	7.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js#L14851

reference_url

https://github.com/lodash/lodash/commit/3469357cff396a26c363f8c1b5a91dde28ba4b1c

reference_id

reference_type

scores

value	7.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/lodash/lodash/commit/3469357cff396a26c363f8c1b5a91dde28ba4b1c

reference_url

https://security.netapp.com/advisory/ntap-20210312-0006

reference_id

reference_type

scores

value	7.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://security.netapp.com/advisory/ntap-20210312-0006

reference_url

https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074932

reference_id

reference_type

scores

value	7.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074932

reference_url

https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074930

reference_id

reference_type

scores

value	7.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074930

reference_url

https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074928

reference_id

reference_type

scores

value	7.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074928

reference_url

https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074931

reference_id

reference_type

scores

value	7.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074931

reference_url

https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074929

reference_id

reference_type

scores

value	7.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074929

reference_url

https://snyk.io/vuln/SNYK-JS-LODASH-1040724

reference_id

reference_type

scores

value	7.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://snyk.io/vuln/SNYK-JS-LODASH-1040724

reference_url

https://www.oracle.com/security-alerts/cpujan2022.html

reference_id

reference_type

scores

value	7.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://www.oracle.com/security-alerts/cpujan2022.html

reference_url

https://www.oracle.com//security-alerts/cpujul2021.html

reference_id

reference_type

scores

value	7.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://www.oracle.com//security-alerts/cpujul2021.html

reference_url

https://www.oracle.com/security-alerts/cpujul2022.html

reference_id

reference_type

scores

value	7.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://www.oracle.com/security-alerts/cpujul2022.html

reference_url

https://www.oracle.com/security-alerts/cpuoct2021.html

reference_id

reference_type

scores

value	7.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://www.oracle.com/security-alerts/cpuoct2021.html

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=1928937
reference_id	1928937
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=1928937

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985086
reference_id	985086
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985086

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2021-23337

reference_id

CVE-2021-23337

reference_type

scores

value	7.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2021-23337

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2021-23337.yml

reference_id

CVE-2021-23337.YML

reference_type

scores

value	7.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2021-23337.yml

reference_url	https://access.redhat.com/errata/RHSA-2021:2179
reference_id	RHSA-2021:2179
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2021:2179

reference_url	https://access.redhat.com/errata/RHSA-2021:2438
reference_id	RHSA-2021:2438
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2021:2438

reference_url	https://access.redhat.com/errata/RHSA-2021:2543
reference_id	RHSA-2021:2543
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2021:2543

reference_url	https://access.redhat.com/errata/RHSA-2021:3459
reference_id	RHSA-2021:3459
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2021:3459

reference_url	https://access.redhat.com/errata/RHSA-2022:6429
reference_id	RHSA-2022:6429
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2022:6429

reference_url	https://access.redhat.com/errata/RHSA-2026:7329
reference_id	RHSA-2026:7329
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:7329

fixed_packages

url pkg:npm/lodash@4.17.21

purl pkg:npm/lodash@4.17.21

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-4up5-csax-tuax

vulnerability	VCID-hm3y-cuw8-vfhe

vulnerability	VCID-xn8k-qveu-afck

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/lodash@4.17.21

aliases CVE-2021-23337, GHSA-35jh-r3h4-6jhm

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-aaeg-a8tc-dyd2

url VCID-aecq-1mad-n7h1

vulnerability_id VCID-aecq-1mad-n7h1

summary

Regular Expression Denial of Service (ReDoS) in lodash
All versions of package lodash prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the `toNumber`, `trim` and `trimEnd` functions.

Steps to reproduce (provided by reporter Liyuan Chen):
```js
var lo = require('lodash');

function build_blank(n) {
var ret = "1"
for (var i = 0; i < n; i++) {
ret += " "
}
return ret + "1";
}
var s = build_blank(50000) var time0 = Date.now();
lo.trim(s)
var time_cost0 = Date.now() - time0;
console.log("time_cost0: " + time_cost0);
var time1 = Date.now();
lo.toNumber(s) var time_cost1 = Date.now() - time1;
console.log("time_cost1: " + time_cost1);
var time2 = Date.now();
lo.trimEnd(s);
var time_cost2 = Date.now() - time2;
console.log("time_cost2: " + time_cost2);
```

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-28500.json

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-28500.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2020-28500

reference_id

reference_type

scores

value	0.00245
scoring_system	epss
scoring_elements	0.47926
published_at	2026-06-04T12:55:00Z

value	0.00245
scoring_system	epss
scoring_elements	0.47946
published_at	2026-06-08T12:55:00Z

value	0.00245
scoring_system	epss
scoring_elements	0.47975
published_at	2026-06-07T12:55:00Z

value	0.00245
scoring_system	epss
scoring_elements	0.47993
published_at	2026-06-06T12:55:00Z

value	0.00245
scoring_system	epss
scoring_elements	0.47989
published_at	2026-06-05T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2020-28500

reference_url

https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28500
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28500

reference_url

https://github.com/github/advisory-database/pull/6139

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/github/advisory-database/pull/6139

reference_url

https://github.com/lodash/lodash

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/lodash/lodash

reference_url

https://github.com/lodash/lodash/blob/npm/trimEnd.js%23L8

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/lodash/lodash/blob/npm/trimEnd.js%23L8

reference_url

https://github.com/lodash/lodash/commit/c4847ebe7d14540bb28a8b932a9ce1b9ecbfee1a

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/lodash/lodash/commit/c4847ebe7d14540bb28a8b932a9ce1b9ecbfee1a

reference_url

https://github.com/lodash/lodash/pull/5065

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/lodash/lodash/pull/5065

reference_url

https://github.com/lodash/lodash/pull/5065/commits/02906b8191d3c100c193fe6f7b27d1c40f200bb7

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/lodash/lodash/pull/5065/commits/02906b8191d3c100c193fe6f7b27d1c40f200bb7

reference_url

https://security.netapp.com/advisory/ntap-20210312-0006

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://security.netapp.com/advisory/ntap-20210312-0006

reference_url

https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074896

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074896

reference_url

https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074894

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074894

reference_url

https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074892

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074892

reference_url

https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074895

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074895

reference_url

https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074893

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074893

reference_url

https://snyk.io/vuln/SNYK-JS-LODASH-1018905

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://snyk.io/vuln/SNYK-JS-LODASH-1018905

reference_url

https://www.oracle.com/security-alerts/cpujan2022.html

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://www.oracle.com/security-alerts/cpujan2022.html

reference_url

https://www.oracle.com//security-alerts/cpujul2021.html

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://www.oracle.com//security-alerts/cpujul2021.html

reference_url

https://www.oracle.com/security-alerts/cpujul2022.html

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://www.oracle.com/security-alerts/cpujul2022.html

reference_url

https://www.oracle.com/security-alerts/cpuoct2021.html

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://www.oracle.com/security-alerts/cpuoct2021.html

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=1928954
reference_id	1928954
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=1928954

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985086
reference_id	985086
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985086

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2020-28500

reference_id

CVE-2020-28500

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2020-28500

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2020-28500.yml

reference_id

CVE-2020-28500.YML

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2020-28500.yml

reference_url

https://github.com/advisories/GHSA-29mw-wpgm-hmr9

reference_id

GHSA-29mw-wpgm-hmr9

reference_type

scores

value	5.3
scoring_system	cvssv3
scoring_elements

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-29mw-wpgm-hmr9

reference_url	https://access.redhat.com/errata/RHSA-2021:2179
reference_id	RHSA-2021:2179
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2021:2179

reference_url	https://access.redhat.com/errata/RHSA-2021:2438
reference_id	RHSA-2021:2438
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2021:2438

reference_url	https://access.redhat.com/errata/RHSA-2021:2543
reference_id	RHSA-2021:2543
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2021:2543

reference_url	https://access.redhat.com/errata/RHSA-2021:3459
reference_id	RHSA-2021:3459
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2021:3459

reference_url	https://access.redhat.com/errata/RHSA-2022:6429
reference_id	RHSA-2022:6429
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2022:6429

fixed_packages

url pkg:npm/lodash@4.17.21

purl pkg:npm/lodash@4.17.21

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-4up5-csax-tuax

vulnerability	VCID-hm3y-cuw8-vfhe

vulnerability	VCID-xn8k-qveu-afck

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/lodash@4.17.21

aliases CVE-2020-28500, GHSA-29mw-wpgm-hmr9

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-aecq-1mad-n7h1

url VCID-hm3y-cuw8-vfhe

vulnerability_id VCID-hm3y-cuw8-vfhe

summary lodash: Lodash: Prototype pollution allows deletion of built-in prototype properties via array path bypass

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-2950.json

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-2950.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-2950

reference_id

reference_type

scores

value	0.00025
scoring_system	epss
scoring_elements	0.07562
published_at	2026-06-05T12:55:00Z

value	0.00025
scoring_system	epss
scoring_elements	0.0757
published_at	2026-06-06T12:55:00Z

value	0.00026
scoring_system	epss
scoring_elements	0.07885
published_at	2026-06-08T12:55:00Z

value	0.00026
scoring_system	epss
scoring_elements	0.07936
published_at	2026-06-07T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-2950

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-2950
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-2950

reference_url

https://github.com/lodash/lodash

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/lodash/lodash

reference_url

https://github.com/lodash/lodash/security/advisories/GHSA-f23m-r3pf-42rh

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/lodash/lodash/security/advisories/GHSA-f23m-r3pf-42rh

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-2950

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-2950

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2453499
reference_id	2453499
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2453499

reference_url

https://github.com/advisories/GHSA-f23m-r3pf-42rh

reference_id

GHSA-f23m-r3pf-42rh

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-f23m-r3pf-42rh

reference_url

https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg

reference_id

GHSA-xxjr-mmjv-4gpg

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-01T13:43:14Z/

url

https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg

reference_url	https://access.redhat.com/errata/RHSA-2026:7378
reference_id	RHSA-2026:7378
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:7378

reference_url	https://access.redhat.com/errata/RHSA-2026:7655
reference_id	RHSA-2026:7655
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:7655

reference_url	https://access.redhat.com/errata/RHSA-2026:9455
reference_id	RHSA-2026:9455
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:9455

fixed_packages

url	pkg:npm/lodash@4.18.0
purl	pkg:npm/lodash@4.18.0
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:npm/lodash@4.18.0

aliases CVE-2026-2950, GHSA-f23m-r3pf-42rh

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-hm3y-cuw8-vfhe

url VCID-k8q3-p39p-7ufs

vulnerability_id VCID-k8q3-p39p-7ufs

summary

Prototype Pollution in lodash
Versions of lodash prior to 4.17.19 are vulnerable to Prototype
Pollution. The functions `pick`, `set`, `setWith`, `update`,
`updateWith`, and `zipObjectDeep` allow a malicious user to
modify the prototype of Object if the property identifiers are
user-supplied. Being affected by this issue requires manipulating
objects based on user-provided property values or arrays.

This vulnerability causes the addition or modification of an
existing property that will exist on all objects and may lead to
Denial of Service or Code Execution under specific circumstances.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-8203.json

reference_id

reference_type

scores

value	7.4
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-8203.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2020-8203

reference_id

reference_type

scores

value	0.02546
scoring_system	epss
scoring_elements	0.85756
published_at	2026-06-08T12:55:00Z

value	0.02546
scoring_system	epss
scoring_elements	0.85771
published_at	2026-06-07T12:55:00Z

value	0.02546
scoring_system	epss
scoring_elements	0.85775
published_at	2026-06-06T12:55:00Z

value	0.02546
scoring_system	epss
scoring_elements	0.85772
published_at	2026-06-05T12:55:00Z

value	0.02546
scoring_system	epss
scoring_elements	0.8575
published_at	2026-06-04T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2020-8203

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8203
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8203

reference_url

https://github.com/advisories/GHSA-p6mc-m468-83gw

reference_id

reference_type

scores

value	7.4
scoring_system	cvssv3
scoring_elements

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-p6mc-m468-83gw

reference_url

https://github.com/github/advisory-database/pull/2884

reference_id

reference_type

scores

value	7.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/github/advisory-database/pull/2884

reference_url

https://github.com/lodash/lodash

reference_id

reference_type

scores

value	7.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/lodash/lodash

reference_url

https://github.com/lodash/lodash/commit/c84fe82760fb2d3e03a63379b297a1cc1a2fce12

reference_id

reference_type

scores

value	7.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/lodash/lodash/commit/c84fe82760fb2d3e03a63379b297a1cc1a2fce12

reference_url

https://github.com/lodash/lodash/issues/4744

reference_id

reference_type

scores

value	7.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/lodash/lodash/issues/4744

reference_url

https://github.com/lodash/lodash/issues/4874

reference_id

reference_type

scores

value	7.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/lodash/lodash/issues/4874

reference_url

https://github.com/lodash/lodash/wiki/Changelog#v41719

reference_id

reference_type

scores

value	7.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/lodash/lodash/wiki/Changelog#v41719

reference_url

https://hackerone.com/reports/712065

reference_id

reference_type

scores

value	7.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://hackerone.com/reports/712065

reference_url

https://hackerone.com/reports/864701

reference_id

reference_type

scores

value	7.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://hackerone.com/reports/864701

reference_url

https://security.netapp.com/advisory/ntap-20200724-0006

reference_id

reference_type

scores

value	7.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://security.netapp.com/advisory/ntap-20200724-0006

reference_url

https://web.archive.org/web/20210914001339/https://github.com/lodash/lodash/issues/4744

reference_id

reference_type

scores

value	7.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://web.archive.org/web/20210914001339/https://github.com/lodash/lodash/issues/4744

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=1857412
reference_id	1857412
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=1857412

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=965283
reference_id	965283
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=965283

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2020-8203

reference_id

CVE-2020-8203

reference_type

scores

value	7.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2020-8203

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2020-8203.yml

reference_id

CVE-2020-8203.YML

reference_type

scores

value	7.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2020-8203.yml

reference_url	https://access.redhat.com/errata/RHSA-2020:3369
reference_id	RHSA-2020:3369
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2020:3369

reference_url	https://access.redhat.com/errata/RHSA-2020:3370
reference_id	RHSA-2020:3370
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2020:3370

reference_url	https://access.redhat.com/errata/RHSA-2020:3807
reference_id	RHSA-2020:3807
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2020:3807

reference_url	https://access.redhat.com/errata/RHSA-2020:4298
reference_id	RHSA-2020:4298
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2020:4298

reference_url	https://access.redhat.com/errata/RHSA-2020:5179
reference_id	RHSA-2020:5179
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2020:5179

reference_url	https://access.redhat.com/errata/RHSA-2020:5611
reference_id	RHSA-2020:5611
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2020:5611

reference_url	https://access.redhat.com/errata/RHSA-2021:3917
reference_id	RHSA-2021:3917
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2021:3917

fixed_packages

url pkg:npm/lodash@4.17.19

purl pkg:npm/lodash@4.17.19

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-4up5-csax-tuax

vulnerability	VCID-aaeg-a8tc-dyd2

vulnerability	VCID-aecq-1mad-n7h1

vulnerability	VCID-hm3y-cuw8-vfhe

vulnerability	VCID-xn8k-qveu-afck

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/lodash@4.17.19

aliases CVE-2020-8203, GHSA-p6mc-m468-83gw

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-k8q3-p39p-7ufs

url VCID-r83z-aktw-sbav

vulnerability_id VCID-r83z-aktw-sbav

summary

Denial of Service
Prototype pollution attack (lodash / constructor.prototype)

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-16487.json

reference_id

reference_type

scores

value	5.6
scoring_system	cvssv3
scoring_elements	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-16487.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2018-16487

reference_id

reference_type

scores

value	0.00468
scoring_system	epss
scoring_elements	0.64828
published_at	2026-06-04T12:55:00Z

value	0.00468
scoring_system	epss
scoring_elements	0.64859
published_at	2026-06-08T12:55:00Z

value	0.00468
scoring_system	epss
scoring_elements	0.6488
published_at	2026-06-06T12:55:00Z

value	0.00468
scoring_system	epss
scoring_elements	0.6487
published_at	2026-06-07T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2018-16487

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16487
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16487

reference_url

https://github.com/lodash/lodash/commit/90e6199a161b6445b01454517b40ef65ebecd2ad

reference_id

reference_type

scores

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/lodash/lodash/commit/90e6199a161b6445b01454517b40ef65ebecd2ad

reference_url

https://hackerone.com/reports/380873

reference_id

reference_type

scores

value	7.0
scoring_system	cvssv3
scoring_elements

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://hackerone.com/reports/380873

reference_url

https://security.netapp.com/advisory/ntap-20190919-0004

reference_id

reference_type

scores

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://security.netapp.com/advisory/ntap-20190919-0004

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=1671878
reference_id	1671878
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=1671878

reference_url

https://github.com/nodejs/security-wg/blob/main/vuln/npm/493.json

reference_id

493

reference_type

scores

value	7.0
scoring_system	cvssv3
scoring_elements

url

https://github.com/nodejs/security-wg/blob/main/vuln/npm/493.json

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2018-16487

reference_id

CVE-2018-16487

reference_type

scores

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2018-16487

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2018-16487.yml

reference_id

CVE-2018-16487.YML

reference_type

scores

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2018-16487.yml

reference_url

https://github.com/advisories/GHSA-4xc9-xhrj-v574

reference_id

GHSA-4xc9-xhrj-v574

reference_type

scores

value	5.6
scoring_system	cvssv3
scoring_elements

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-4xc9-xhrj-v574

fixed_packages

url pkg:npm/lodash@4.17.11

purl pkg:npm/lodash@4.17.11

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-4up5-csax-tuax

vulnerability	VCID-aaeg-a8tc-dyd2

vulnerability	VCID-aecq-1mad-n7h1

vulnerability	VCID-hm3y-cuw8-vfhe

vulnerability	VCID-k8q3-p39p-7ufs

vulnerability	VCID-xn8k-qveu-afck

vulnerability	VCID-xwr9-5r2s-vucx

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/lodash@4.17.11

aliases CVE-2018-16487, GHSA-4xc9-xhrj-v574

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-r83z-aktw-sbav

url VCID-xn8k-qveu-afck

vulnerability_id VCID-xn8k-qveu-afck

summary lodash: lodash: Arbitrary code execution via untrusted input in template imports

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-4800.json

reference_id

reference_type

scores

value	8.1
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-4800.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-4800

reference_id

reference_type

scores

value	0.00044
scoring_system	epss
scoring_elements	0.14054
published_at	2026-06-05T12:55:00Z

value	0.00044
scoring_system	epss
scoring_elements	0.14055
published_at	2026-06-06T12:55:00Z

value	0.00046
scoring_system	epss
scoring_elements	0.14649
published_at	2026-06-08T12:55:00Z

value	0.00046
scoring_system	epss
scoring_elements	0.14732
published_at	2026-06-07T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-4800

reference_url

https://cna.openjsf.org/security-advisories.html

reference_id

reference_type

scores

value	8.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-31T20:36:55Z/

url

https://cna.openjsf.org/security-advisories.html

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-4800
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-4800

reference_url

https://github.com/advisories/GHSA-35jh-r3h4-6jhm

reference_id

reference_type

scores

value	8.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-31T20:36:55Z/

url

https://github.com/advisories/GHSA-35jh-r3h4-6jhm

reference_url

https://github.com/lodash/lodash

reference_id

reference_type

scores

value	8.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/lodash/lodash

reference_url

https://github.com/lodash/lodash/commit/3469357cff396a26c363f8c1b5a91dde28ba4b1c

reference_id

reference_type

scores

value	8.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-31T20:36:55Z/

url

https://github.com/lodash/lodash/commit/3469357cff396a26c363f8c1b5a91dde28ba4b1c

reference_url

https://github.com/lodash/lodash/security/advisories/GHSA-r5fr-rjxr-66jc

reference_id

reference_type

scores

value	8.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/lodash/lodash/security/advisories/GHSA-r5fr-rjxr-66jc

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-4800

reference_id

reference_type

scores

value	8.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-4800

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132500
reference_id	1132500
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132500

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2453496
reference_id	2453496
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2453496

reference_url

https://github.com/advisories/GHSA-r5fr-rjxr-66jc

reference_id

GHSA-r5fr-rjxr-66jc

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-r5fr-rjxr-66jc

reference_url	https://access.redhat.com/errata/RHSA-2026:10131
reference_id	RHSA-2026:10131
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:10131

reference_url	https://access.redhat.com/errata/RHSA-2026:10175
reference_id	RHSA-2026:10175
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:10175

reference_url	https://access.redhat.com/errata/RHSA-2026:10710
reference_id	RHSA-2026:10710
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:10710

reference_url	https://access.redhat.com/errata/RHSA-2026:10713
reference_id	RHSA-2026:10713
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:10713

reference_url	https://access.redhat.com/errata/RHSA-2026:11454
reference_id	RHSA-2026:11454
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:11454

reference_url	https://access.redhat.com/errata/RHSA-2026:11469
reference_id	RHSA-2026:11469
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:11469

reference_url	https://access.redhat.com/errata/RHSA-2026:11470
reference_id	RHSA-2026:11470
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:11470

reference_url	https://access.redhat.com/errata/RHSA-2026:11471
reference_id	RHSA-2026:11471
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:11471

reference_url	https://access.redhat.com/errata/RHSA-2026:11493
reference_id	RHSA-2026:11493
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:11493

reference_url	https://access.redhat.com/errata/RHSA-2026:11494
reference_id	RHSA-2026:11494
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:11494

reference_url	https://access.redhat.com/errata/RHSA-2026:11495
reference_id	RHSA-2026:11495
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:11495

reference_url	https://access.redhat.com/errata/RHSA-2026:11516
reference_id	RHSA-2026:11516
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:11516

reference_url	https://access.redhat.com/errata/RHSA-2026:12277
reference_id	RHSA-2026:12277
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:12277

reference_url	https://access.redhat.com/errata/RHSA-2026:12279
reference_id	RHSA-2026:12279
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:12279

reference_url	https://access.redhat.com/errata/RHSA-2026:13545
reference_id	RHSA-2026:13545
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:13545

reference_url	https://access.redhat.com/errata/RHSA-2026:13553
reference_id	RHSA-2026:13553
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:13553

reference_url	https://access.redhat.com/errata/RHSA-2026:13571
reference_id	RHSA-2026:13571
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:13571

reference_url	https://access.redhat.com/errata/RHSA-2026:13826
reference_id	RHSA-2026:13826
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:13826

reference_url	https://access.redhat.com/errata/RHSA-2026:14870
reference_id	RHSA-2026:14870
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:14870

reference_url	https://access.redhat.com/errata/RHSA-2026:14871
reference_id	RHSA-2026:14871
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:14871

reference_url	https://access.redhat.com/errata/RHSA-2026:16874
reference_id	RHSA-2026:16874
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:16874

reference_url	https://access.redhat.com/errata/RHSA-2026:17448
reference_id	RHSA-2026:17448
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:17448

reference_url	https://access.redhat.com/errata/RHSA-2026:17468
reference_id	RHSA-2026:17468
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:17468

reference_url	https://access.redhat.com/errata/RHSA-2026:17469
reference_id	RHSA-2026:17469
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:17469

reference_url	https://access.redhat.com/errata/RHSA-2026:17547
reference_id	RHSA-2026:17547
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:17547

reference_url	https://access.redhat.com/errata/RHSA-2026:17549
reference_id	RHSA-2026:17549
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:17549

reference_url	https://access.redhat.com/errata/RHSA-2026:17550
reference_id	RHSA-2026:17550
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:17550

reference_url	https://access.redhat.com/errata/RHSA-2026:17598
reference_id	RHSA-2026:17598
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:17598

reference_url	https://access.redhat.com/errata/RHSA-2026:17789
reference_id	RHSA-2026:17789
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:17789

reference_url	https://access.redhat.com/errata/RHSA-2026:19008
reference_id	RHSA-2026:19008
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:19008

reference_url	https://access.redhat.com/errata/RHSA-2026:19167
reference_id	RHSA-2026:19167
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:19167

reference_url	https://access.redhat.com/errata/RHSA-2026:19409
reference_id	RHSA-2026:19409
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:19409

reference_url	https://access.redhat.com/errata/RHSA-2026:19410
reference_id	RHSA-2026:19410
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:19410

reference_url	https://access.redhat.com/errata/RHSA-2026:19712
reference_id	RHSA-2026:19712
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:19712

reference_url	https://access.redhat.com/errata/RHSA-2026:20041
reference_id	RHSA-2026:20041
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:20041

reference_url	https://access.redhat.com/errata/RHSA-2026:20042
reference_id	RHSA-2026:20042
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:20042

reference_url	https://access.redhat.com/errata/RHSA-2026:20943
reference_id	RHSA-2026:20943
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:20943

reference_url	https://access.redhat.com/errata/RHSA-2026:20946
reference_id	RHSA-2026:20946
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:20946

reference_url	https://access.redhat.com/errata/RHSA-2026:21658
reference_id	RHSA-2026:21658
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:21658

reference_url	https://access.redhat.com/errata/RHSA-2026:22619
reference_id	RHSA-2026:22619
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:22619

reference_url	https://access.redhat.com/errata/RHSA-2026:24331
reference_id	RHSA-2026:24331
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:24331

reference_url	https://access.redhat.com/errata/RHSA-2026:8483
reference_id	RHSA-2026:8483
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:8483

reference_url	https://access.redhat.com/errata/RHSA-2026:8484
reference_id	RHSA-2026:8484
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:8484

reference_url	https://access.redhat.com/errata/RHSA-2026:8490
reference_id	RHSA-2026:8490
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:8490

reference_url	https://access.redhat.com/errata/RHSA-2026:8491
reference_id	RHSA-2026:8491
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:8491

reference_url	https://access.redhat.com/errata/RHSA-2026:8493
reference_id	RHSA-2026:8493
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:8493

reference_url	https://access.redhat.com/errata/RHSA-2026:8498
reference_id	RHSA-2026:8498
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:8498

reference_url	https://access.redhat.com/errata/RHSA-2026:9385
reference_id	RHSA-2026:9385
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:9385

reference_url	https://access.redhat.com/errata/RHSA-2026:9742
reference_id	RHSA-2026:9742
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:9742

fixed_packages

url	pkg:npm/lodash@4.18.0
purl	pkg:npm/lodash@4.18.0
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:npm/lodash@4.18.0

aliases CVE-2026-4800, GHSA-r5fr-rjxr-66jc

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-xn8k-qveu-afck

url VCID-xvf6-pgw4-nuhu

vulnerability_id VCID-xvf6-pgw4-nuhu

summary

Regular Expression Denial of Service (ReDoS) in lodash
lodash prior to 4.7.11 is affected by: CWE-400: Uncontrolled
Resource Consumption. The impact is: Denial of service. The
component is: Date handler. The attack vector is: Attacker
provides very long strings, which the library attempts
to match using a regular expression.

The fixed version is: 4.7.11.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-1010266.json

reference_id

reference_type

scores

value	4.4
scoring_system	cvssv3
scoring_elements	CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-1010266.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2019-1010266

reference_id

reference_type

scores

value	0.00207
scoring_system	epss
scoring_elements	0.43118
published_at	2026-06-08T12:55:00Z

value	0.00207
scoring_system	epss
scoring_elements	0.43153
published_at	2026-06-07T12:55:00Z

value	0.00207
scoring_system	epss
scoring_elements	0.43175
published_at	2026-06-06T12:55:00Z

value	0.00207
scoring_system	epss
scoring_elements	0.43166
published_at	2026-06-05T12:55:00Z

value	0.00207
scoring_system	epss
scoring_elements	0.43092
published_at	2026-06-04T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2019-1010266

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1010266
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1010266

reference_url

https://github.com/advisories/GHSA-x5rq-j2xg-h7qm

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3
scoring_elements

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-x5rq-j2xg-h7qm

reference_url

https://github.com/github/advisory-database/pull/6138

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/github/advisory-database/pull/6138

reference_url

https://github.com/lodash/lodash

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/lodash/lodash

reference_url

https://github.com/lodash/lodash/commit/5c08f18d365b64063bfbfa686cbb97cdd6267347

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/lodash/lodash/commit/5c08f18d365b64063bfbfa686cbb97cdd6267347

reference_url

https://github.com/lodash/lodash/issues/3359

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/lodash/lodash/issues/3359

reference_url

https://github.com/lodash/lodash/wiki/Changelog

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/lodash/lodash/wiki/Changelog

reference_url

https://security.netapp.com/advisory/ntap-20190919-0004

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://security.netapp.com/advisory/ntap-20190919-0004

reference_url

https://snyk.io/vuln/SNYK-JS-LODASH-73639

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://snyk.io/vuln/SNYK-JS-LODASH-73639

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=1743096
reference_id	1743096
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=1743096

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2019-1010266

reference_id

CVE-2019-1010266

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2019-1010266

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2019-1010266.yml

reference_id

CVE-2019-1010266.YML

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2019-1010266.yml

reference_url	https://access.redhat.com/errata/RHSA-2021:3917
reference_id	RHSA-2021:3917
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2021:3917

fixed_packages

url pkg:npm/lodash@4.17.11

purl pkg:npm/lodash@4.17.11

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-4up5-csax-tuax

vulnerability	VCID-aaeg-a8tc-dyd2

vulnerability	VCID-aecq-1mad-n7h1

vulnerability	VCID-hm3y-cuw8-vfhe

vulnerability	VCID-k8q3-p39p-7ufs

vulnerability	VCID-xn8k-qveu-afck

vulnerability	VCID-xwr9-5r2s-vucx

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/lodash@4.17.11

aliases CVE-2019-1010266, GHSA-x5rq-j2xg-h7qm

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-xvf6-pgw4-nuhu

url VCID-xwr9-5r2s-vucx

vulnerability_id VCID-xwr9-5r2s-vucx

summary

Prototype Pollution in lodash
Versions of `lodash` before 4.17.12 are vulnerable to Prototype Pollution.  The function `defaultsDeep` allows a malicious user to modify the prototype of `Object` via `{constructor: {prototype: {...}}}` causing the addition or modification of an existing property that will exist on all objects.

references

reference_url

https://access.redhat.com/errata/RHSA-2019:3024

reference_id

reference_type

scores

value	9.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://access.redhat.com/errata/RHSA-2019:3024

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-10744.json

reference_id

reference_type

scores

value	9.1
scoring_system	cvssv3
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-10744.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2019-10744

reference_id

reference_type

scores

value	0.18518
scoring_system	epss
scoring_elements	0.95382
published_at	2026-06-06T12:55:00Z

value	0.18518
scoring_system	epss
scoring_elements	0.9538
published_at	2026-06-05T12:55:00Z

value	0.18518
scoring_system	epss
scoring_elements	0.95372
published_at	2026-06-04T12:55:00Z

value	0.18518
scoring_system	epss
scoring_elements	0.95384
published_at	2026-06-08T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2019-10744

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10744
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10744

reference_url

https://github.com/lodash/lodash/pull/4336

reference_id

reference_type

scores

value	9.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/lodash/lodash/pull/4336

reference_url

https://security.netapp.com/advisory/ntap-20191004-0005

reference_id

reference_type

scores

value	9.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://security.netapp.com/advisory/ntap-20191004-0005

reference_url	https://security.netapp.com/advisory/ntap-20191004-0005/
reference_id
reference_type
scores
url	https://security.netapp.com/advisory/ntap-20191004-0005/

reference_url

https://snyk.io/vuln/SNYK-JS-LODASH-450202

reference_id

reference_type

scores

value	9.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://snyk.io/vuln/SNYK-JS-LODASH-450202

reference_url

https://support.f5.com/csp/article/K47105354?utm_source=f5support&amp%3Butm_medium=RSS

reference_id

reference_type

scores

value	9.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://support.f5.com/csp/article/K47105354?utm_source=f5support&amp%3Butm_medium=RSS

reference_url

https://support.f5.com/csp/article/K47105354?utm_source=f5support&utm_medium=RSS

reference_id

reference_type

scores

value	9.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://support.f5.com/csp/article/K47105354?utm_source=f5support&utm_medium=RSS

reference_url	https://www.npmjs.com/advisories/1065
reference_id
reference_type
scores
url	https://www.npmjs.com/advisories/1065

reference_url

https://www.oracle.com/security-alerts/cpujan2021.html

reference_id

reference_type

scores

value	9.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://www.oracle.com/security-alerts/cpujan2021.html

reference_url

https://www.oracle.com/security-alerts/cpuoct2020.html

reference_id

reference_type

scores

value	9.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://www.oracle.com/security-alerts/cpuoct2020.html

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=1739497
reference_id	1739497
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=1739497

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=933079
reference_id	933079
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=933079

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2019-10744

reference_id

CVE-2019-10744

reference_type

scores

value	9.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2019-10744

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2019-10744.yml

reference_id

CVE-2019-10744.YML

reference_type

scores

value	9.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2019-10744.yml

reference_url

https://github.com/advisories/GHSA-jf85-cpcp-j695

reference_id

GHSA-jf85-cpcp-j695

reference_type

scores

value	9.1
scoring_system	cvssv3
scoring_elements

value	CRITICAL
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-jf85-cpcp-j695

reference_url	https://access.redhat.com/errata/RHSA-2020:2362
reference_id	RHSA-2020:2362
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2020:2362

reference_url	https://access.redhat.com/errata/RHSA-2020:2819
reference_id	RHSA-2020:2819
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2020:2819

reference_url	https://access.redhat.com/errata/RHSA-2021:5134
reference_id	RHSA-2021:5134
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2021:5134

reference_url	https://access.redhat.com/errata/RHSA-2022:5101
reference_id	RHSA-2022:5101
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2022:5101

fixed_packages

url pkg:npm/lodash@4.17.12

purl pkg:npm/lodash@4.17.12

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-4up5-csax-tuax

vulnerability	VCID-aaeg-a8tc-dyd2

vulnerability	VCID-aecq-1mad-n7h1

vulnerability	VCID-hm3y-cuw8-vfhe

vulnerability	VCID-k8q3-p39p-7ufs

vulnerability	VCID-xn8k-qveu-afck

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/lodash@4.17.12

aliases CVE-2019-10744, GHSA-jf85-cpcp-j695

risk_score 4.5

exploitability 0.5

weighted_severity 9.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-xwr9-5r2s-vucx

Fixing_vulnerabilities

url VCID-ac1j-39fz-huf4

vulnerability_id VCID-ac1j-39fz-huf4

summary

lodash prototype pollution
lodash node module before 4.17.5 suffers from a prototype pollution vulnerability via 'defaultsDeep', 'merge', and 'mergeWith' functions, which allows a malicious user to modify the prototype of 'Object' via __proto__, causing the addition or modification of an existing property that will exist on all objects.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-3721.json

reference_id

reference_type

scores

value	2.9
scoring_system	cvssv3
scoring_elements	CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-3721.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2018-3721

reference_id

reference_type

scores

value	0.00249
scoring_system	epss
scoring_elements	0.48318
published_at	2026-06-04T12:55:00Z

value	0.00249
scoring_system	epss
scoring_elements	0.48337
published_at	2026-06-08T12:55:00Z

value	0.00249
scoring_system	epss
scoring_elements	0.48366
published_at	2026-06-07T12:55:00Z

value	0.00249
scoring_system	epss
scoring_elements	0.48384
published_at	2026-06-06T12:55:00Z

value	0.00249
scoring_system	epss
scoring_elements	0.48381
published_at	2026-06-05T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2018-3721

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3721
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3721

reference_url

https://github.com/lodash/lodash/commit/d8e069cc3410082e44eb18fcf8e7f3d08ebe1d4a

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/lodash/lodash/commit/d8e069cc3410082e44eb18fcf8e7f3d08ebe1d4a

reference_url

https://hackerone.com/reports/310443

reference_id

reference_type

scores

value	2.5
scoring_system	cvssv3
scoring_elements

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://hackerone.com/reports/310443

reference_url

https://security.netapp.com/advisory/ntap-20190919-0004

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://security.netapp.com/advisory/ntap-20190919-0004

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=1545884
reference_id	1545884
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=1545884

reference_url

https://github.com/nodejs/security-wg/blob/main/vuln/npm/368.json

reference_id

368

reference_type

scores

value	2.5
scoring_system	cvssv3
scoring_elements

url

https://github.com/nodejs/security-wg/blob/main/vuln/npm/368.json

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=890575
reference_id	890575
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=890575

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2018-3721

reference_id

CVE-2018-3721

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2018-3721

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2018-3721.yml

reference_id

CVE-2018-3721.YML

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2018-3721.yml

reference_url

https://github.com/advisories/GHSA-fvqr-27wr-82fm

reference_id

GHSA-fvqr-27wr-82fm

reference_type

scores

value	6.5
scoring_system	cvssv3
scoring_elements

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-fvqr-27wr-82fm

reference_url	https://access.redhat.com/errata/RHSA-2021:3917
reference_id	RHSA-2021:3917
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2021:3917

fixed_packages

url pkg:npm/lodash@4.17.5

purl pkg:npm/lodash@4.17.5

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-4up5-csax-tuax

vulnerability	VCID-aaeg-a8tc-dyd2

vulnerability	VCID-aecq-1mad-n7h1

vulnerability	VCID-hm3y-cuw8-vfhe

vulnerability	VCID-k8q3-p39p-7ufs

vulnerability	VCID-r83z-aktw-sbav

vulnerability	VCID-xn8k-qveu-afck

vulnerability	VCID-xvf6-pgw4-nuhu

vulnerability	VCID-xwr9-5r2s-vucx

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/lodash@4.17.5

aliases CVE-2018-3721, GHSA-fvqr-27wr-82fm

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-ac1j-39fz-huf4

url VCID-s46z-6pyy-vbhg

vulnerability_id VCID-s46z-6pyy-vbhg

summary

Denial of Service and remote code execution
Functions in Lodash ( merge, mergeWith, defaultsDeep) can modify the prototype of "Object" if given malicious data. This can lead to denial of service or remote code execution.

references

reference_url	https://github.com/lodash/lodash/commit/d8e069cc3410082e44eb18fcf8e7f3d08ebe1d4a
reference_id
reference_type
scores
url	https://github.com/lodash/lodash/commit/d8e069cc3410082e44eb18fcf8e7f3d08ebe1d4a

reference_url	https://hackerone.com/reports/310443
reference_id
reference_type
scores
url	https://hackerone.com/reports/310443

fixed_packages

url pkg:npm/lodash@4.17.5

purl pkg:npm/lodash@4.17.5

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-4up5-csax-tuax

vulnerability	VCID-aaeg-a8tc-dyd2

vulnerability	VCID-aecq-1mad-n7h1

vulnerability	VCID-hm3y-cuw8-vfhe

vulnerability	VCID-k8q3-p39p-7ufs

vulnerability	VCID-r83z-aktw-sbav

vulnerability	VCID-xn8k-qveu-afck

vulnerability	VCID-xvf6-pgw4-nuhu

vulnerability	VCID-xwr9-5r2s-vucx

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/lodash@4.17.5

aliases GMS-2018-10

risk_score null

exploitability 0.5

weighted_severity 0.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-s46z-6pyy-vbhg

Risk_score 4.5

Resource_url http://public2.vulnerablecode.io/packages/pkg:npm/lodash@4.17.5

Package Instance