Lodash

This hub aggregates every CVE we track for Lodash, a product in the oss libraries space. Use it to gauge the current risk picture and drill into individual advisories.

Severity distribution

Monthly trend

The 10 most recently published vulnerabilities affecting Lodash.

• CVE-2026-4800lodash vulnerable to Code Injection via `_.template` imports key names8.1Mar 31, 2026
• CVE-2026-2950lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit`6.5Mar 31, 2026
• CVE-2025-13465Prototype Pollution Vulnerability in Lodash _.unset and _.omit functions5.3Jan 21, 2026
• CVE-2021-23337Command Injection7.2Feb 15, 2021
• CVE-2020-28500Regular Expression Denial of Service (ReDoS)5.3Feb 15, 2021
• CVE-2020-8203Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.7.4Jul 15, 2020
• CVE-2019-10744Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor p...9.1Jul 25, 2019
• CVE-2019-1010266lodash prior to 4.17.11 is affected by: CWE-400: Uncontrolled Resource Consumption. The impact is: Denial of service. The component is: Date handler. The attack vector is: Attacker provides very lo...6.5Jul 17, 2019
• CVE-2018-16487A prototype pollution vulnerability was found in lodash <4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype.5.6Feb 1, 2019
• CVE-2018-3721lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify...6.5Jun 7, 2018