VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-fbva-4bu5-k7dx

Essentials
Severities (17)
References (7)
Severity details (13)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-fbva-4bu5-k7dx
Aliases	CVE-2026-40190 GHSA-fw9q-39r9-c252
Summary	LangSmith Client SDKs provide SDK's for interacting with the LangSmith platform. Prior to 0.5.18, the LangSmith JavaScript/TypeScript SDK (langsmith) contains an incomplete prototype pollution fix in its internally vendored lodash set() utility. The baseAssignValue() function only guards against the __proto__ key, but fails to prevent traversal via constructor.prototype. This allows an attacker who controls keys in data processed by the createAnonymizer() API to pollute Object.prototype, affecting all objects in the Node.js process. This vulnerability is fixed in 0.5.18.
Status	Published
Exploitability	0.5
Weighted Severity	6.2
Risk	3.1
Affected and Fixed Packages	Package Details

Weaknesses (3)

CWE-1321	Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
epss	0.00018	https://api.first.org/data/v1/epss?cve=CVE-2026-40190
epss	0.00018	https://api.first.org/data/v1/epss?cve=CVE-2026-40190
epss	0.00018	https://api.first.org/data/v1/epss?cve=CVE-2026-40190
epss	0.00018	https://api.first.org/data/v1/epss?cve=CVE-2026-40190
cvssv3.1_qr	MODERATE	https://github.com/advisories/GHSA-fw9q-39r9-c252
cvssv3.1	5.6	https://github.com/langchain-ai/langsmith-sdk
generic_textual	MODERATE	https://github.com/langchain-ai/langsmith-sdk
cvssv3.1	5.6	https://github.com/langchain-ai/langsmith-sdk/commit/31d3c3aec02892f4312baae112f817d6b2f0ebe3
generic_textual	MODERATE	https://github.com/langchain-ai/langsmith-sdk/commit/31d3c3aec02892f4312baae112f817d6b2f0ebe3
cvssv3.1	5.6	https://github.com/langchain-ai/langsmith-sdk/pull/2690
generic_textual	MODERATE	https://github.com/langchain-ai/langsmith-sdk/pull/2690
cvssv3.1	5.6	https://github.com/langchain-ai/langsmith-sdk/security/advisories/GHSA-fw9q-39r9-c252
cvssv3.1_qr	MODERATE	https://github.com/langchain-ai/langsmith-sdk/security/advisories/GHSA-fw9q-39r9-c252
generic_textual	MODERATE	https://github.com/langchain-ai/langsmith-sdk/security/advisories/GHSA-fw9q-39r9-c252
ssvc	Track	https://github.com/langchain-ai/langsmith-sdk/security/advisories/GHSA-fw9q-39r9-c252
cvssv3.1	5.6	https://nvd.nist.gov/vuln/detail/CVE-2026-40190
generic_textual	MODERATE	https://nvd.nist.gov/vuln/detail/CVE-2026-40190

Reference id	Reference type	URL
		https://api.first.org/data/v1/epss?cve=CVE-2026-40190
		https://github.com/langchain-ai/langsmith-sdk
		https://github.com/langchain-ai/langsmith-sdk/commit/31d3c3aec02892f4312baae112f817d6b2f0ebe3
		https://github.com/langchain-ai/langsmith-sdk/pull/2690
		https://nvd.nist.gov/vuln/detail/CVE-2026-40190
GHSA-fw9q-39r9-c252		https://github.com/advisories/GHSA-fw9q-39r9-c252
GHSA-fw9q-39r9-c252		https://github.com/langchain-ai/langsmith-sdk/security/advisories/GHSA-fw9q-39r9-c252

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L Found at https://github.com/langchain-ai/langsmith-sdk

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L Found at https://github.com/langchain-ai/langsmith-sdk/commit/31d3c3aec02892f4312baae112f817d6b2f0ebe3

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L Found at https://github.com/langchain-ai/langsmith-sdk/pull/2690

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L Found at https://github.com/langchain-ai/langsmith-sdk/security/advisories/GHSA-fw9q-39r9-c252

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-13T16:13:33Z/ Found at https://github.com/langchain-ai/langsmith-sdk/security/advisories/GHSA-fw9q-39r9-c252

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L Found at https://nvd.nist.gov/vuln/detail/CVE-2026-40190

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.04682
EPSS Score	0.00018
Published At	June 11, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-06-11T16:53:20.887303+00:00	Vulnrichment	Import	https://github.com/cisagov/vulnrichment/blob/develop/2026/40xxx/CVE-2026-40190.json	38.6.0