Main Vulnerability Database SB2026042049

SB2026042049 - IBM DevOps Test Performance update for Lodash

Published: April 20, 2026

Security Bulletin ID SB2026042049

Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Prototype pollution (CVE-ID: CVE-2026-2950)

The vulnerability allows a remote attacker to modify object prototype attributes.

The vulnerability exists due to improper control of object prototype modification in _.unset and _.omit when processing array-wrapped path segments. A remote attacker can pass crafted path segments to modify object prototype attributes.

The bypass affects checks that only guard against string key members. The issue permits deletion of properties from built-in prototypes such as Object.prototype, Number.prototype, and String.prototype, but does not allow overwriting their original behavior.

Remediation

Install update from vendor's website.

References

https://www.ibm.com/support/pages/node/7269940