Browse all 4 CVE security advisories affecting lodash. AI-powered Chinese analysis, POCs, and references for each vulnerability.
Lodash is a JavaScript utility library providing helper functions for common programming tasks, widely used for data manipulation and functional programming. Historically, vulnerabilities have included prototype pollution leading to remote code execution and cross-site scripting due to improper input sanitization in template processing functions. The library has faced security concerns over versions with insecure default behaviors, particularly in object handling mechanisms. While no major public incidents have been widely documented, the presence of four CVEs highlights ongoing security considerations, especially regarding prototype manipulation and input validation. Developers should ensure using updated versions and implementing proper input sanitization when leveraging lodash's extensive utility functions.
| CVE ID | Title | CVSS | Severity | Published |
|---|---|---|---|---|
| CVE-2026-4800 | lodash vulnerable to Code Injection via `_.template` imports key names — lodashCWE-94 | 8.1 | High | 2026-03-31 |
| CVE-2026-2950 | lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit` — lodashCWE-1321 | 6.5 | Medium | 2026-03-31 |
| CVE-2025-13465 | Prototype Pollution Vulnerability in Lodash _.unset and _.omit functions — LodashCWE-1321 | 9.1AI | CriticalAI | 2026-01-21 |
| CVE-2019-1010266 | lodash 资源管理错误漏洞 — lodashCWE-400 | 7.5 | - | 2019-07-17 |
This page lists every published CVE security advisory associated with lodash. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.