CVE-2025-13465
Prototype pollution in the _.unset and _.omit functions. A
crafted property path could be used to delete properties from
built-in prototypes (such as Object.prototype), leading to
availability and integrity issues.
CVE-2026-2950
An incomplete fix for CVE-2025-13465. The initial guard only
handled string key members and the literal "constructor.prototype"
sequence, so it could be bypassed using array-wrapped path
segments (for example [['constructor'], ['keys']]), via
constructor static methods, or from primitive roots, again allowing
deletion of properties on shared built-in prototypes.
CVE-2026-4800
Code injection in the _.template function. An incomplete fix for
CVE-2021-23337: the "variable" option was validated but the
"imports" option key names were not. Untrusted input passed as
imports key names could inject default-parameter expressions that
execute arbitrary code at template compilation time via the same
Get the latest Linux and open source security news straight to your inbox.