Skip to content
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 6 additions & 2 deletions repository/jsrepository-master.json
Original file line number Diff line number Diff line change
Expand Up @@ -11176,7 +11176,8 @@
"severity": "high",
"identifiers": {
"CVE": [
"CVE-2021-23337"
"CVE-2021-23337",
"CVE-2026-4800"
],
"githubID": "GHSA-35jh-r3h4-6jhm"
},
Expand Down Expand Up @@ -11254,7 +11255,8 @@
"identifiers": {
"githubID": "GHSA-xxjr-mmjv-4gpg",
"CVE": [
"CVE-2025-13465"
"CVE-2025-13465",
"CVE-2026-2950"
]
},
"severity": "medium",
Expand All @@ -11278,6 +11280,7 @@
"identifiers": {
"githubID": "GHSA-f23m-r3pf-42rh",
"CVE": [
"CVE-2025-13465",
"CVE-2026-2950"
]
},
Expand All @@ -11302,6 +11305,7 @@
"identifiers": {
"githubID": "GHSA-r5fr-rjxr-66jc",
"CVE": [
"CVE-2021-23337",
"CVE-2026-4800"
]
},
Expand Down
8 changes: 6 additions & 2 deletions repository/jsrepository-v2.json
Original file line number Diff line number Diff line change
Expand Up @@ -12643,7 +12643,8 @@
"identifiers": {
"summary": "Command Injection in lodash",
"CVE": [
"CVE-2021-23337"
"CVE-2021-23337",
"CVE-2026-4800"
],
"githubID": "GHSA-35jh-r3h4-6jhm"
},
Expand Down Expand Up @@ -12716,7 +12717,8 @@
"summary": "Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution via the _.unset and _.omit functions. An attacker can pass crafted paths to delete methods from global prototypes such as Object.prototype, though the issue only permits deletion and not overwriting of properties.",
"githubID": "GHSA-xxjr-mmjv-4gpg",
"CVE": [
"CVE-2025-13465"
"CVE-2025-13465",
"CVE-2026-2950"
]
},
"info": [
Expand All @@ -12735,6 +12737,7 @@
"summary": "Lodash 4.17.23 and earlier are vulnerable to a prototype pollution bypass in _.unset and _.omit. The fix for CVE-2025-13465 only guards against string key members, so attackers can bypass it by passing array-wrapped path segments to delete properties from built-in prototypes including Object.prototype, Number.prototype, and String.prototype.",
"githubID": "GHSA-f23m-r3pf-42rh",
"CVE": [
"CVE-2025-13465",
"CVE-2026-2950"
]
},
Expand All @@ -12754,6 +12757,7 @@
"summary": "Lodash _.template is vulnerable to code injection via unsanitized options.imports key names. Untrusted key names are passed to the Function() constructor sink without validation, and the use of assignInWith (which enumerates inherited properties) also means that pre-existing prototype pollution on Object.prototype can flow into the Function() sink and execute arbitrary code at template compilation time.",
"githubID": "GHSA-r5fr-rjxr-66jc",
"CVE": [
"CVE-2021-23337",
"CVE-2026-4800"
]
},
Expand Down
8 changes: 6 additions & 2 deletions repository/jsrepository-v3.json
Original file line number Diff line number Diff line change
Expand Up @@ -12829,7 +12829,8 @@
"identifiers": {
"summary": "Command Injection in lodash",
"CVE": [
"CVE-2021-23337"
"CVE-2021-23337",
"CVE-2026-4800"
],
"githubID": "GHSA-35jh-r3h4-6jhm"
},
Expand Down Expand Up @@ -12902,7 +12903,8 @@
"summary": "Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution via the _.unset and _.omit functions. An attacker can pass crafted paths to delete methods from global prototypes such as Object.prototype, though the issue only permits deletion and not overwriting of properties.",
"githubID": "GHSA-xxjr-mmjv-4gpg",
"CVE": [
"CVE-2025-13465"
"CVE-2025-13465",
"CVE-2026-2950"
]
},
"info": [
Expand All @@ -12921,6 +12923,7 @@
"summary": "Lodash 4.17.23 and earlier are vulnerable to a prototype pollution bypass in _.unset and _.omit. The fix for CVE-2025-13465 only guards against string key members, so attackers can bypass it by passing array-wrapped path segments to delete properties from built-in prototypes including Object.prototype, Number.prototype, and String.prototype.",
"githubID": "GHSA-f23m-r3pf-42rh",
"CVE": [
"CVE-2025-13465",
"CVE-2026-2950"
]
},
Expand All @@ -12940,6 +12943,7 @@
"summary": "Lodash _.template is vulnerable to code injection via unsanitized options.imports key names. Untrusted key names are passed to the Function() constructor sink without validation, and the use of assignInWith (which enumerates inherited properties) also means that pre-existing prototype pollution on Object.prototype can flow into the Function() sink and execute arbitrary code at template compilation time.",
"githubID": "GHSA-r5fr-rjxr-66jc",
"CVE": [
"CVE-2021-23337",
"CVE-2026-4800"
]
},
Expand Down
8 changes: 6 additions & 2 deletions repository/jsrepository-v4.json
Original file line number Diff line number Diff line change
Expand Up @@ -12828,7 +12828,8 @@
"identifiers": {
"summary": "Command Injection in lodash",
"CVE": [
"CVE-2021-23337"
"CVE-2021-23337",
"CVE-2026-4800"
],
"githubID": "GHSA-35jh-r3h4-6jhm"
},
Expand Down Expand Up @@ -12901,7 +12902,8 @@
"summary": "Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution via the _.unset and _.omit functions. An attacker can pass crafted paths to delete methods from global prototypes such as Object.prototype, though the issue only permits deletion and not overwriting of properties.",
"githubID": "GHSA-xxjr-mmjv-4gpg",
"CVE": [
"CVE-2025-13465"
"CVE-2025-13465",
"CVE-2026-2950"
]
},
"info": [
Expand All @@ -12920,6 +12922,7 @@
"summary": "Lodash 4.17.23 and earlier are vulnerable to a prototype pollution bypass in _.unset and _.omit. The fix for CVE-2025-13465 only guards against string key members, so attackers can bypass it by passing array-wrapped path segments to delete properties from built-in prototypes including Object.prototype, Number.prototype, and String.prototype.",
"githubID": "GHSA-f23m-r3pf-42rh",
"CVE": [
"CVE-2025-13465",
"CVE-2026-2950"
]
},
Expand All @@ -12939,6 +12942,7 @@
"summary": "Lodash _.template is vulnerable to code injection via unsanitized options.imports key names. Untrusted key names are passed to the Function() constructor sink without validation, and the use of assignInWith (which enumerates inherited properties) also means that pre-existing prototype pollution on Object.prototype can flow into the Function() sink and execute arbitrary code at template compilation time.",
"githubID": "GHSA-r5fr-rjxr-66jc",
"CVE": [
"CVE-2021-23337",
"CVE-2026-4800"
]
},
Expand Down
8 changes: 6 additions & 2 deletions repository/jsrepository-v5-combined.json
Original file line number Diff line number Diff line change
Expand Up @@ -12835,7 +12835,8 @@
"identifiers": {
"summary": "Command Injection in lodash",
"CVE": [
"CVE-2021-23337"
"CVE-2021-23337",
"CVE-2026-4800"
],
"githubID": "GHSA-35jh-r3h4-6jhm"
},
Expand Down Expand Up @@ -12908,7 +12909,8 @@
"summary": "Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution via the _.unset and _.omit functions. An attacker can pass crafted paths to delete methods from global prototypes such as Object.prototype, though the issue only permits deletion and not overwriting of properties.",
"githubID": "GHSA-xxjr-mmjv-4gpg",
"CVE": [
"CVE-2025-13465"
"CVE-2025-13465",
"CVE-2026-2950"
]
},
"info": [
Expand All @@ -12927,6 +12929,7 @@
"summary": "Lodash 4.17.23 and earlier are vulnerable to a prototype pollution bypass in _.unset and _.omit. The fix for CVE-2025-13465 only guards against string key members, so attackers can bypass it by passing array-wrapped path segments to delete properties from built-in prototypes including Object.prototype, Number.prototype, and String.prototype.",
"githubID": "GHSA-f23m-r3pf-42rh",
"CVE": [
"CVE-2025-13465",
"CVE-2026-2950"
]
},
Expand All @@ -12946,6 +12949,7 @@
"summary": "Lodash _.template is vulnerable to code injection via unsanitized options.imports key names. Untrusted key names are passed to the Function() constructor sink without validation, and the use of assignInWith (which enumerates inherited properties) also means that pre-existing prototype pollution on Object.prototype can flow into the Function() sink and execute arbitrary code at template compilation time.",
"githubID": "GHSA-r5fr-rjxr-66jc",
"CVE": [
"CVE-2021-23337",
"CVE-2026-4800"
]
},
Expand Down
8 changes: 6 additions & 2 deletions repository/jsrepository-v5.json
Original file line number Diff line number Diff line change
Expand Up @@ -12834,7 +12834,8 @@
"identifiers": {
"summary": "Command Injection in lodash",
"CVE": [
"CVE-2021-23337"
"CVE-2021-23337",
"CVE-2026-4800"
],
"githubID": "GHSA-35jh-r3h4-6jhm"
},
Expand Down Expand Up @@ -12907,7 +12908,8 @@
"summary": "Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution via the _.unset and _.omit functions. An attacker can pass crafted paths to delete methods from global prototypes such as Object.prototype, though the issue only permits deletion and not overwriting of properties.",
"githubID": "GHSA-xxjr-mmjv-4gpg",
"CVE": [
"CVE-2025-13465"
"CVE-2025-13465",
"CVE-2026-2950"
]
},
"info": [
Expand All @@ -12926,6 +12928,7 @@
"summary": "Lodash 4.17.23 and earlier are vulnerable to a prototype pollution bypass in _.unset and _.omit. The fix for CVE-2025-13465 only guards against string key members, so attackers can bypass it by passing array-wrapped path segments to delete properties from built-in prototypes including Object.prototype, Number.prototype, and String.prototype.",
"githubID": "GHSA-f23m-r3pf-42rh",
"CVE": [
"CVE-2025-13465",
"CVE-2026-2950"
]
},
Expand All @@ -12945,6 +12948,7 @@
"summary": "Lodash _.template is vulnerable to code injection via unsanitized options.imports key names. Untrusted key names are passed to the Function() constructor sink without validation, and the use of assignInWith (which enumerates inherited properties) also means that pre-existing prototype pollution on Object.prototype can flow into the Function() sink and execute arbitrary code at template compilation time.",
"githubID": "GHSA-r5fr-rjxr-66jc",
"CVE": [
"CVE-2021-23337",
"CVE-2026-4800"
]
},
Expand Down
8 changes: 6 additions & 2 deletions repository/jsrepository-v6-combined.json
Original file line number Diff line number Diff line change
Expand Up @@ -13065,7 +13065,8 @@
"identifiers": {
"summary": "Command Injection in lodash",
"CVE": [
"CVE-2021-23337"
"CVE-2021-23337",
"CVE-2026-4800"
],
"githubID": "GHSA-35jh-r3h4-6jhm"
},
Expand Down Expand Up @@ -13138,7 +13139,8 @@
"summary": "Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution via the _.unset and _.omit functions. An attacker can pass crafted paths to delete methods from global prototypes such as Object.prototype, though the issue only permits deletion and not overwriting of properties.",
"githubID": "GHSA-xxjr-mmjv-4gpg",
"CVE": [
"CVE-2025-13465"
"CVE-2025-13465",
"CVE-2026-2950"
]
},
"details": "### Impact\n\nLodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the `_.unset` and `_.omit` functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes. \n\nThe issue permits deletion of properties but does not allow overwriting their original behavior. \n\n### Patches\n\nThis issue is patched on 4.17.23.",
Expand All @@ -13158,6 +13160,7 @@
"summary": "Lodash 4.17.23 and earlier are vulnerable to a prototype pollution bypass in _.unset and _.omit. The fix for CVE-2025-13465 only guards against string key members, so attackers can bypass it by passing array-wrapped path segments to delete properties from built-in prototypes including Object.prototype, Number.prototype, and String.prototype.",
"githubID": "GHSA-f23m-r3pf-42rh",
"CVE": [
"CVE-2025-13465",
"CVE-2026-2950"
]
},
Expand All @@ -13178,6 +13181,7 @@
"summary": "Lodash _.template is vulnerable to code injection via unsanitized options.imports key names. Untrusted key names are passed to the Function() constructor sink without validation, and the use of assignInWith (which enumerates inherited properties) also means that pre-existing prototype pollution on Object.prototype can flow into the Function() sink and execute arbitrary code at template compilation time.",
"githubID": "GHSA-r5fr-rjxr-66jc",
"CVE": [
"CVE-2021-23337",
"CVE-2026-4800"
]
},
Expand Down
8 changes: 6 additions & 2 deletions repository/jsrepository-v6.json
Original file line number Diff line number Diff line change
Expand Up @@ -13064,7 +13064,8 @@
"identifiers": {
"summary": "Command Injection in lodash",
"CVE": [
"CVE-2021-23337"
"CVE-2021-23337",
"CVE-2026-4800"
],
"githubID": "GHSA-35jh-r3h4-6jhm"
},
Expand Down Expand Up @@ -13137,7 +13138,8 @@
"summary": "Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution via the _.unset and _.omit functions. An attacker can pass crafted paths to delete methods from global prototypes such as Object.prototype, though the issue only permits deletion and not overwriting of properties.",
"githubID": "GHSA-xxjr-mmjv-4gpg",
"CVE": [
"CVE-2025-13465"
"CVE-2025-13465",
"CVE-2026-2950"
]
},
"details": "### Impact\n\nLodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the `_.unset` and `_.omit` functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes. \n\nThe issue permits deletion of properties but does not allow overwriting their original behavior. \n\n### Patches\n\nThis issue is patched on 4.17.23.",
Expand All @@ -13157,6 +13159,7 @@
"summary": "Lodash 4.17.23 and earlier are vulnerable to a prototype pollution bypass in _.unset and _.omit. The fix for CVE-2025-13465 only guards against string key members, so attackers can bypass it by passing array-wrapped path segments to delete properties from built-in prototypes including Object.prototype, Number.prototype, and String.prototype.",
"githubID": "GHSA-f23m-r3pf-42rh",
"CVE": [
"CVE-2025-13465",
"CVE-2026-2950"
]
},
Expand All @@ -13177,6 +13180,7 @@
"summary": "Lodash _.template is vulnerable to code injection via unsanitized options.imports key names. Untrusted key names are passed to the Function() constructor sink without validation, and the use of assignInWith (which enumerates inherited properties) also means that pre-existing prototype pollution on Object.prototype can flow into the Function() sink and execute arbitrary code at template compilation time.",
"githubID": "GHSA-r5fr-rjxr-66jc",
"CVE": [
"CVE-2021-23337",
"CVE-2026-4800"
]
},
Expand Down
8 changes: 6 additions & 2 deletions repository/jsrepository.json
Original file line number Diff line number Diff line change
Expand Up @@ -12549,7 +12549,8 @@
"identifiers": {
"summary": "Command Injection in lodash",
"CVE": [
"CVE-2021-23337"
"CVE-2021-23337",
"CVE-2026-4800"
],
"githubID": "GHSA-35jh-r3h4-6jhm"
},
Expand Down Expand Up @@ -12622,7 +12623,8 @@
"summary": "Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution via the _.unset and _.omit functions. An attacker can pass crafted paths to delete methods from global prototypes such as Object.prototype, though the issue only permits deletion and not overwriting of properties.",
"githubID": "GHSA-xxjr-mmjv-4gpg",
"CVE": [
"CVE-2025-13465"
"CVE-2025-13465",
"CVE-2026-2950"
]
},
"info": [
Expand All @@ -12641,6 +12643,7 @@
"summary": "Lodash 4.17.23 and earlier are vulnerable to a prototype pollution bypass in _.unset and _.omit. The fix for CVE-2025-13465 only guards against string key members, so attackers can bypass it by passing array-wrapped path segments to delete properties from built-in prototypes including Object.prototype, Number.prototype, and String.prototype.",
"githubID": "GHSA-f23m-r3pf-42rh",
"CVE": [
"CVE-2025-13465",
"CVE-2026-2950"
]
},
Expand All @@ -12660,6 +12663,7 @@
"summary": "Lodash _.template is vulnerable to code injection via unsanitized options.imports key names. Untrusted key names are passed to the Function() constructor sink without validation, and the use of assignInWith (which enumerates inherited properties) also means that pre-existing prototype pollution on Object.prototype can flow into the Function() sink and execute arbitrary code at template compilation time.",
"githubID": "GHSA-r5fr-rjxr-66jc",
"CVE": [
"CVE-2021-23337",
"CVE-2026-4800"
]
},
Expand Down
Loading