diff --git a/repository/jsrepository-master.json b/repository/jsrepository-master.json index cfbf25e5..c986e372 100644 --- a/repository/jsrepository-master.json +++ b/repository/jsrepository-master.json @@ -11176,7 +11176,8 @@ "severity": "high", "identifiers": { "CVE": [ - "CVE-2021-23337" + "CVE-2021-23337", + "CVE-2026-4800" ], "githubID": "GHSA-35jh-r3h4-6jhm" }, @@ -11254,7 +11255,8 @@ "identifiers": { "githubID": "GHSA-xxjr-mmjv-4gpg", "CVE": [ - "CVE-2025-13465" + "CVE-2025-13465", + "CVE-2026-2950" ] }, "severity": "medium", @@ -11278,6 +11280,7 @@ "identifiers": { "githubID": "GHSA-f23m-r3pf-42rh", "CVE": [ + "CVE-2025-13465", "CVE-2026-2950" ] }, @@ -11302,6 +11305,7 @@ "identifiers": { "githubID": "GHSA-r5fr-rjxr-66jc", "CVE": [ + "CVE-2021-23337", "CVE-2026-4800" ] }, diff --git a/repository/jsrepository-v2.json b/repository/jsrepository-v2.json index 4520658f..094282e3 100644 --- a/repository/jsrepository-v2.json +++ b/repository/jsrepository-v2.json @@ -12643,7 +12643,8 @@ "identifiers": { "summary": "Command Injection in lodash", "CVE": [ - "CVE-2021-23337" + "CVE-2021-23337", + "CVE-2026-4800" ], "githubID": "GHSA-35jh-r3h4-6jhm" }, @@ -12716,7 +12717,8 @@ "summary": "Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution via the _.unset and _.omit functions. An attacker can pass crafted paths to delete methods from global prototypes such as Object.prototype, though the issue only permits deletion and not overwriting of properties.", "githubID": "GHSA-xxjr-mmjv-4gpg", "CVE": [ - "CVE-2025-13465" + "CVE-2025-13465", + "CVE-2026-2950" ] }, "info": [ @@ -12735,6 +12737,7 @@ "summary": "Lodash 4.17.23 and earlier are vulnerable to a prototype pollution bypass in _.unset and _.omit. The fix for CVE-2025-13465 only guards against string key members, so attackers can bypass it by passing array-wrapped path segments to delete properties from built-in prototypes including Object.prototype, Number.prototype, and String.prototype.", "githubID": "GHSA-f23m-r3pf-42rh", "CVE": [ + "CVE-2025-13465", "CVE-2026-2950" ] }, @@ -12754,6 +12757,7 @@ "summary": "Lodash _.template is vulnerable to code injection via unsanitized options.imports key names. Untrusted key names are passed to the Function() constructor sink without validation, and the use of assignInWith (which enumerates inherited properties) also means that pre-existing prototype pollution on Object.prototype can flow into the Function() sink and execute arbitrary code at template compilation time.", "githubID": "GHSA-r5fr-rjxr-66jc", "CVE": [ + "CVE-2021-23337", "CVE-2026-4800" ] }, diff --git a/repository/jsrepository-v3.json b/repository/jsrepository-v3.json index b3f06b29..f19cc074 100644 --- a/repository/jsrepository-v3.json +++ b/repository/jsrepository-v3.json @@ -12829,7 +12829,8 @@ "identifiers": { "summary": "Command Injection in lodash", "CVE": [ - "CVE-2021-23337" + "CVE-2021-23337", + "CVE-2026-4800" ], "githubID": "GHSA-35jh-r3h4-6jhm" }, @@ -12902,7 +12903,8 @@ "summary": "Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution via the _.unset and _.omit functions. An attacker can pass crafted paths to delete methods from global prototypes such as Object.prototype, though the issue only permits deletion and not overwriting of properties.", "githubID": "GHSA-xxjr-mmjv-4gpg", "CVE": [ - "CVE-2025-13465" + "CVE-2025-13465", + "CVE-2026-2950" ] }, "info": [ @@ -12921,6 +12923,7 @@ "summary": "Lodash 4.17.23 and earlier are vulnerable to a prototype pollution bypass in _.unset and _.omit. The fix for CVE-2025-13465 only guards against string key members, so attackers can bypass it by passing array-wrapped path segments to delete properties from built-in prototypes including Object.prototype, Number.prototype, and String.prototype.", "githubID": "GHSA-f23m-r3pf-42rh", "CVE": [ + "CVE-2025-13465", "CVE-2026-2950" ] }, @@ -12940,6 +12943,7 @@ "summary": "Lodash _.template is vulnerable to code injection via unsanitized options.imports key names. Untrusted key names are passed to the Function() constructor sink without validation, and the use of assignInWith (which enumerates inherited properties) also means that pre-existing prototype pollution on Object.prototype can flow into the Function() sink and execute arbitrary code at template compilation time.", "githubID": "GHSA-r5fr-rjxr-66jc", "CVE": [ + "CVE-2021-23337", "CVE-2026-4800" ] }, diff --git a/repository/jsrepository-v4.json b/repository/jsrepository-v4.json index 190a60a3..2bf6ec09 100644 --- a/repository/jsrepository-v4.json +++ b/repository/jsrepository-v4.json @@ -12828,7 +12828,8 @@ "identifiers": { "summary": "Command Injection in lodash", "CVE": [ - "CVE-2021-23337" + "CVE-2021-23337", + "CVE-2026-4800" ], "githubID": "GHSA-35jh-r3h4-6jhm" }, @@ -12901,7 +12902,8 @@ "summary": "Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution via the _.unset and _.omit functions. An attacker can pass crafted paths to delete methods from global prototypes such as Object.prototype, though the issue only permits deletion and not overwriting of properties.", "githubID": "GHSA-xxjr-mmjv-4gpg", "CVE": [ - "CVE-2025-13465" + "CVE-2025-13465", + "CVE-2026-2950" ] }, "info": [ @@ -12920,6 +12922,7 @@ "summary": "Lodash 4.17.23 and earlier are vulnerable to a prototype pollution bypass in _.unset and _.omit. The fix for CVE-2025-13465 only guards against string key members, so attackers can bypass it by passing array-wrapped path segments to delete properties from built-in prototypes including Object.prototype, Number.prototype, and String.prototype.", "githubID": "GHSA-f23m-r3pf-42rh", "CVE": [ + "CVE-2025-13465", "CVE-2026-2950" ] }, @@ -12939,6 +12942,7 @@ "summary": "Lodash _.template is vulnerable to code injection via unsanitized options.imports key names. Untrusted key names are passed to the Function() constructor sink without validation, and the use of assignInWith (which enumerates inherited properties) also means that pre-existing prototype pollution on Object.prototype can flow into the Function() sink and execute arbitrary code at template compilation time.", "githubID": "GHSA-r5fr-rjxr-66jc", "CVE": [ + "CVE-2021-23337", "CVE-2026-4800" ] }, diff --git a/repository/jsrepository-v5-combined.json b/repository/jsrepository-v5-combined.json index 7d9385e6..c571fa9b 100644 --- a/repository/jsrepository-v5-combined.json +++ b/repository/jsrepository-v5-combined.json @@ -12835,7 +12835,8 @@ "identifiers": { "summary": "Command Injection in lodash", "CVE": [ - "CVE-2021-23337" + "CVE-2021-23337", + "CVE-2026-4800" ], "githubID": "GHSA-35jh-r3h4-6jhm" }, @@ -12908,7 +12909,8 @@ "summary": "Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution via the _.unset and _.omit functions. An attacker can pass crafted paths to delete methods from global prototypes such as Object.prototype, though the issue only permits deletion and not overwriting of properties.", "githubID": "GHSA-xxjr-mmjv-4gpg", "CVE": [ - "CVE-2025-13465" + "CVE-2025-13465", + "CVE-2026-2950" ] }, "info": [ @@ -12927,6 +12929,7 @@ "summary": "Lodash 4.17.23 and earlier are vulnerable to a prototype pollution bypass in _.unset and _.omit. The fix for CVE-2025-13465 only guards against string key members, so attackers can bypass it by passing array-wrapped path segments to delete properties from built-in prototypes including Object.prototype, Number.prototype, and String.prototype.", "githubID": "GHSA-f23m-r3pf-42rh", "CVE": [ + "CVE-2025-13465", "CVE-2026-2950" ] }, @@ -12946,6 +12949,7 @@ "summary": "Lodash _.template is vulnerable to code injection via unsanitized options.imports key names. Untrusted key names are passed to the Function() constructor sink without validation, and the use of assignInWith (which enumerates inherited properties) also means that pre-existing prototype pollution on Object.prototype can flow into the Function() sink and execute arbitrary code at template compilation time.", "githubID": "GHSA-r5fr-rjxr-66jc", "CVE": [ + "CVE-2021-23337", "CVE-2026-4800" ] }, diff --git a/repository/jsrepository-v5.json b/repository/jsrepository-v5.json index ebe06895..c23527ae 100644 --- a/repository/jsrepository-v5.json +++ b/repository/jsrepository-v5.json @@ -12834,7 +12834,8 @@ "identifiers": { "summary": "Command Injection in lodash", "CVE": [ - "CVE-2021-23337" + "CVE-2021-23337", + "CVE-2026-4800" ], "githubID": "GHSA-35jh-r3h4-6jhm" }, @@ -12907,7 +12908,8 @@ "summary": "Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution via the _.unset and _.omit functions. An attacker can pass crafted paths to delete methods from global prototypes such as Object.prototype, though the issue only permits deletion and not overwriting of properties.", "githubID": "GHSA-xxjr-mmjv-4gpg", "CVE": [ - "CVE-2025-13465" + "CVE-2025-13465", + "CVE-2026-2950" ] }, "info": [ @@ -12926,6 +12928,7 @@ "summary": "Lodash 4.17.23 and earlier are vulnerable to a prototype pollution bypass in _.unset and _.omit. The fix for CVE-2025-13465 only guards against string key members, so attackers can bypass it by passing array-wrapped path segments to delete properties from built-in prototypes including Object.prototype, Number.prototype, and String.prototype.", "githubID": "GHSA-f23m-r3pf-42rh", "CVE": [ + "CVE-2025-13465", "CVE-2026-2950" ] }, @@ -12945,6 +12948,7 @@ "summary": "Lodash _.template is vulnerable to code injection via unsanitized options.imports key names. Untrusted key names are passed to the Function() constructor sink without validation, and the use of assignInWith (which enumerates inherited properties) also means that pre-existing prototype pollution on Object.prototype can flow into the Function() sink and execute arbitrary code at template compilation time.", "githubID": "GHSA-r5fr-rjxr-66jc", "CVE": [ + "CVE-2021-23337", "CVE-2026-4800" ] }, diff --git a/repository/jsrepository-v6-combined.json b/repository/jsrepository-v6-combined.json index 6be3d4d8..6ffba9e5 100644 --- a/repository/jsrepository-v6-combined.json +++ b/repository/jsrepository-v6-combined.json @@ -13065,7 +13065,8 @@ "identifiers": { "summary": "Command Injection in lodash", "CVE": [ - "CVE-2021-23337" + "CVE-2021-23337", + "CVE-2026-4800" ], "githubID": "GHSA-35jh-r3h4-6jhm" }, @@ -13138,7 +13139,8 @@ "summary": "Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution via the _.unset and _.omit functions. An attacker can pass crafted paths to delete methods from global prototypes such as Object.prototype, though the issue only permits deletion and not overwriting of properties.", "githubID": "GHSA-xxjr-mmjv-4gpg", "CVE": [ - "CVE-2025-13465" + "CVE-2025-13465", + "CVE-2026-2950" ] }, "details": "### Impact\n\nLodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the `_.unset` and `_.omit` functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes. \n\nThe issue permits deletion of properties but does not allow overwriting their original behavior. \n\n### Patches\n\nThis issue is patched on 4.17.23.", @@ -13158,6 +13160,7 @@ "summary": "Lodash 4.17.23 and earlier are vulnerable to a prototype pollution bypass in _.unset and _.omit. The fix for CVE-2025-13465 only guards against string key members, so attackers can bypass it by passing array-wrapped path segments to delete properties from built-in prototypes including Object.prototype, Number.prototype, and String.prototype.", "githubID": "GHSA-f23m-r3pf-42rh", "CVE": [ + "CVE-2025-13465", "CVE-2026-2950" ] }, @@ -13178,6 +13181,7 @@ "summary": "Lodash _.template is vulnerable to code injection via unsanitized options.imports key names. Untrusted key names are passed to the Function() constructor sink without validation, and the use of assignInWith (which enumerates inherited properties) also means that pre-existing prototype pollution on Object.prototype can flow into the Function() sink and execute arbitrary code at template compilation time.", "githubID": "GHSA-r5fr-rjxr-66jc", "CVE": [ + "CVE-2021-23337", "CVE-2026-4800" ] }, diff --git a/repository/jsrepository-v6.json b/repository/jsrepository-v6.json index adb272f4..bd426304 100644 --- a/repository/jsrepository-v6.json +++ b/repository/jsrepository-v6.json @@ -13064,7 +13064,8 @@ "identifiers": { "summary": "Command Injection in lodash", "CVE": [ - "CVE-2021-23337" + "CVE-2021-23337", + "CVE-2026-4800" ], "githubID": "GHSA-35jh-r3h4-6jhm" }, @@ -13137,7 +13138,8 @@ "summary": "Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution via the _.unset and _.omit functions. An attacker can pass crafted paths to delete methods from global prototypes such as Object.prototype, though the issue only permits deletion and not overwriting of properties.", "githubID": "GHSA-xxjr-mmjv-4gpg", "CVE": [ - "CVE-2025-13465" + "CVE-2025-13465", + "CVE-2026-2950" ] }, "details": "### Impact\n\nLodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the `_.unset` and `_.omit` functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes. \n\nThe issue permits deletion of properties but does not allow overwriting their original behavior. \n\n### Patches\n\nThis issue is patched on 4.17.23.", @@ -13157,6 +13159,7 @@ "summary": "Lodash 4.17.23 and earlier are vulnerable to a prototype pollution bypass in _.unset and _.omit. The fix for CVE-2025-13465 only guards against string key members, so attackers can bypass it by passing array-wrapped path segments to delete properties from built-in prototypes including Object.prototype, Number.prototype, and String.prototype.", "githubID": "GHSA-f23m-r3pf-42rh", "CVE": [ + "CVE-2025-13465", "CVE-2026-2950" ] }, @@ -13177,6 +13180,7 @@ "summary": "Lodash _.template is vulnerable to code injection via unsanitized options.imports key names. Untrusted key names are passed to the Function() constructor sink without validation, and the use of assignInWith (which enumerates inherited properties) also means that pre-existing prototype pollution on Object.prototype can flow into the Function() sink and execute arbitrary code at template compilation time.", "githubID": "GHSA-r5fr-rjxr-66jc", "CVE": [ + "CVE-2021-23337", "CVE-2026-4800" ] }, diff --git a/repository/jsrepository.json b/repository/jsrepository.json index 80f4f723..4952c7e5 100644 --- a/repository/jsrepository.json +++ b/repository/jsrepository.json @@ -12549,7 +12549,8 @@ "identifiers": { "summary": "Command Injection in lodash", "CVE": [ - "CVE-2021-23337" + "CVE-2021-23337", + "CVE-2026-4800" ], "githubID": "GHSA-35jh-r3h4-6jhm" }, @@ -12622,7 +12623,8 @@ "summary": "Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution via the _.unset and _.omit functions. An attacker can pass crafted paths to delete methods from global prototypes such as Object.prototype, though the issue only permits deletion and not overwriting of properties.", "githubID": "GHSA-xxjr-mmjv-4gpg", "CVE": [ - "CVE-2025-13465" + "CVE-2025-13465", + "CVE-2026-2950" ] }, "info": [ @@ -12641,6 +12643,7 @@ "summary": "Lodash 4.17.23 and earlier are vulnerable to a prototype pollution bypass in _.unset and _.omit. The fix for CVE-2025-13465 only guards against string key members, so attackers can bypass it by passing array-wrapped path segments to delete properties from built-in prototypes including Object.prototype, Number.prototype, and String.prototype.", "githubID": "GHSA-f23m-r3pf-42rh", "CVE": [ + "CVE-2025-13465", "CVE-2026-2950" ] }, @@ -12660,6 +12663,7 @@ "summary": "Lodash _.template is vulnerable to code injection via unsanitized options.imports key names. Untrusted key names are passed to the Function() constructor sink without validation, and the use of assignInWith (which enumerates inherited properties) also means that pre-existing prototype pollution on Object.prototype can flow into the Function() sink and execute arbitrary code at template compilation time.", "githubID": "GHSA-r5fr-rjxr-66jc", "CVE": [ + "CVE-2021-23337", "CVE-2026-4800" ] },