ROOT-APP-NPM-CVE-2025-13465 CVE-2025-13465 in @rootio/lodash - Patched by Root

Root has patched CVE-2025-13465 in the @rootio/lodash package for Root:npm. Multiple fixed versions available...

Security Bulletin: IBM InfoSphere Optim Archive Viewer is affected by multiple vulnerabilities in lodash and lodash-es (CVE-2026-2950, CVE-2026-4800)

Summary Multiple vulnerabilities in the lodash and lodash-es utility libraries CVE-2026-2950, CVE-2026-4800 used by IBM InfoSphere Optim Archive Viewer have been addressed by upgrading the components to version 4.18.0. Vulnerability Details CVEID:CVE-2026-2950 DESCRIPTION: Impact: Lodash versions...

Security Bulletin: IBM InfoSphere Optim Archive Viewer is affected by a vulnerability in Lodash and Lodash-es (CVE-2025-13465)

Summary A prototype pollution vulnerability in the Lodash and Lodash-es libraries CVE-2025-13465 used by IBM InfoSphere Optim Archive Viewer has been addressed by upgrading to version 4.18.0. Vulnerability Details CVEID:CVE-2025-13465 DESCRIPTION: Lodash versions 4.0.0 through 4.17.22 are...

Security Bulletin: Carbon Charts lodash-es Security Vulnerabilities

Summary Carbon Charts versions prior to 1.27.8 include lodash-es version 4.17.23, which contains two security vulnerabilities: a prototype pollution vulnerability CVE-2026-2950, CVSS 5.3 in the .unset and .omit functions that allows deletion of properties from built-in prototypes, and a critical...

4game-support-ckeditor5-custom-build (>=0.0.1 <=0.0.5), 87-midnight-ckeditor5 (>=0.0.3 <=0.0.5) +5461 more potentially affected by CVE-2026-4800 via lodash-es (>=4.0.0 <=4.17.8)

lodash-es NPM version =4.0.0, =0.0.1, =0.0.3, =0.0.1, =1.0.0, =1.0.0, =2.14.1, =41.3.1, =2.1.0, =0.3.4, =0.3.5, =0.3.5, =0.3.5, =0.3.5, =0.3.5, =0.7.0, =0.10.2 and more Source cves: CVE-2026-4800 Source advisory: OSV:GHSA-R5FR-RJXR-66JC...

4game-support-ckeditor5-custom-build (>=0.0.1 <=0.0.5), 87-midnight-ckeditor5 (>=0.0.3 <=0.0.5) +5481 more potentially affected by CVE-2025-13465 +1 more via lodash-es (>=4.0.0 <=4.18.0)

lodash-es NPM version =4.0.0, =0.0.1, =0.0.3, =0.0.1, =1.0.0, =1.0.0, =2.14.1, =41.3.1, =2.1.0, =0.3.4, =0.3.5, =0.3.5, =0.3.5, =0.3.5, =0.3.5, =0.7.0, =0.10.2 and more Source cves: CVE-2025-13465, CVE-2026-2950 Source advisory: SNYK:JS-LODASHES-15869621...

org.webjars.npm:angular-tree-component (>=3.2.3 <=3.7.2), org.webjars.npm:chevrotain (>=11.0.3 <=11.1.2) +72 more potentially affected by CVE-2025-13465 +1 more via org.webjars.npm:lodash-es (>=4.17.21 <=4.17.4)

org.webjars.npm:lodash-es MAVEN version =4.17.21, =3.2.3, =11.0.3, =11.0.3, =11.0.3, =39.0.1, =39.0.1, =39.0.1, =39.0.1, =39.0.1, =39.0.1, =39.0.1, =44.1.0, =39.0.1, =44.3.0 and more Source cves: CVE-2025-13465, CVE-2026-2950 Source advisory: SNYK:JAVA-ORGWEBJARSNPM-15869624...

Arbitrary Code Injection

Overview Affected versions of this package are vulnerable to Arbitrary Code Injection due the improper validation of options.imports key names in .template. An attacker can execute arbitrary code at template compilation time by injecting malicious expressions. If Object.prototype has been pollute...

org.webjars.npm:angular-tree-component (>=3.2.3 <=3.7.2), org.webjars.npm:chevrotain (>=11.0.3 <=11.1.2) +72 more potentially affected by CVE-2021-23337 +1 more via org.webjars.npm:lodash-es (>=4.17.21 <=4.17.4)

org.webjars.npm:lodash-es MAVEN version =4.17.21, =3.2.3, =11.0.3, =11.0.3, =11.0.3, =39.0.1, =39.0.1, =39.0.1, =39.0.1, =39.0.1, =39.0.1, =39.0.1, =44.1.0, =39.0.1, =44.3.0 and more Source cves: CVE-2021-23337, CVE-2026-4800 Source advisory: SNYK:JAVA-ORGWEBJARSNPM-15869632...

4game-support-ckeditor5-custom-build (>=0.0.1 <=0.0.5), 87-midnight-ckeditor5 (>=0.0.3 <=0.0.5) +5481 more potentially affected by CVE-2021-23337 +1 more via lodash-es (>=4.0.0 <=4.18.0)

lodash-es NPM version =4.0.0, =0.0.1, =0.0.3, =0.0.1, =1.0.0, =1.0.0, =2.14.1, =41.3.1, =2.1.0, =0.3.4, =0.3.5, =0.3.5, =0.3.5, =0.3.5, =0.3.5, =0.7.0, =0.10.2 and more Source cves: CVE-2021-23337, CVE-2026-4800 Source advisory: SNYK:JS-LODASHES-15869627...

4game-support-ckeditor5-custom-build (>=0.0.1 <=0.0.5), 87-midnight-ckeditor5 (>=0.0.3 <=0.0.5) +4347 more potentially affected by CVE-2025-13465 via lodash-es (>=4.0.0 <=4.17.22)

lodash-es NPM version =4.0.0, =0.0.1, =0.0.3, =0.0.1, =1.0.0, =2.14.1, =41.3.1, =2.1.0, =0.7.0, =1.0.0, =0.1.3, =0.0.4, =0.1.0, =0.0.1-alpha.4, =1.0.1, =0.0.1, =0.0.7 and more Source cves: CVE-2025-13465 Source advisory: SNYK:JS-LODASHES-15053836...

org.webjars.npm:chevrotain (=11.0.3), org.webjars.npm:chevrotain__cst-dts-gen (=11.0.3) +71 more potentially affected by CVE-2025-13465 via org.webjars.npm:lodash-es (=4.17.21)

org.webjars.npm:lodash-es MAVEN version =4.17.21 is affected by a known vulnerability. The following packages have a transitive dependency on org.webjars.npm:lodash-es and may be impacted: - org.webjars.npm:chevrotain =11.0.3 - org.webjars.npm:chevrotaincst-dts-gen =11.0.3 -...

4game-support-ckeditor5-custom-build (>=0.0.1 <=0.0.5), 87-midnight-ckeditor5 (>=0.0.3 <=0.0.5) +4347 more potentially affected by CVE-2025-13465 via lodash-es (>=4.0.0 <=4.17.22)

lodash-es NPM version =4.0.0, =0.0.1, =0.0.3, =0.0.1, =1.0.0, =2.14.1, =41.3.1, =2.1.0, =0.7.0, =1.0.0, =0.1.3, =0.0.4, =0.1.0, =0.0.1-alpha.4, =1.0.1, =0.0.1, =0.0.7 and more Source cves: CVE-2025-13465 Source advisory: OSV:GHSA-XXJR-MMJV-4GPG...

@across-ui/example (>=0.0.1-alpha.4 <=0.0.4-alpha.5), @agreejs/api (>=0.0.1 <=3.2.14) +752 more potentially affected by CVE-2020-28500 via lodash-es (>=4.0.0 <=4.17.20)

lodash-es NPM version =4.0.0, =0.0.1-alpha.4, =0.0.1, =0.0.2, =3.2.1, =3.2.1, =3.2.1, =0.0.1, =3.2.1, =3.2.1, =0.1.0, =0.3.14, =0.4.63, =0.4.64 and more Source cves: CVE-2020-28500 Source advisory: OSV:GHSA-29MW-WPGM-HMR9...

@across-ui/example (>=0.0.1-alpha.4 <=0.0.4-alpha.5), @agreejs/api (>=0.0.1 <=3.2.14) +797 more potentially affected by CVE-2021-23337 via lodash-es (>=3.0.0 <=4.17.20)

lodash-es NPM version =3.0.0, =0.0.1-alpha.4, =0.0.1, =0.0.2, =3.2.1, =3.2.1, =3.2.1, =0.0.1, =3.2.1, =3.2.1, =0.1.0, =0.3.14, =0.4.63, =0.4.64 and more Source cves: CVE-2021-23337 Source advisory: OSV:GHSA-35JH-R3H4-6JHM...

@across-ui/example (>=0.0.1-alpha.4 <=0.0.4-alpha.5), @agreejs/api (>=0.0.1 <=3.2.14) +752 more potentially affected by CVE-2021-23337 via lodash-es (>=4.0.0 <=4.17.20)

lodash-es NPM version =4.0.0, =0.0.1-alpha.4, =0.0.1, =0.0.2, =3.2.1, =3.2.1, =3.2.1, =0.0.1, =3.2.1, =3.2.1, =0.1.0, =0.3.14, =0.4.63, =0.4.64 and more Source cves: CVE-2021-23337 Source advisory: SNYK:JS-LODASHES-2434284...

Code Injection

Overview Affected versions of this package are vulnerable to Code Injection due the improper validation of options.variable key names in .template. An attacker can execute arbitrary code at template compilation time by injecting malicious expressions. If Object.prototype has been polluted,...

@across-ui/example (>=0.0.1-alpha.4 <=0.0.4-alpha.5), @agreejs/api (>=0.0.1 <=3.2.14) +752 more potentially affected by CVE-2020-28500 via lodash-es (>=4.0.0 <=4.17.20)

lodash-es NPM version =4.0.0, =0.0.1-alpha.4, =0.0.1, =0.0.2, =3.2.1, =3.2.1, =3.2.1, =0.0.1, =3.2.1, =3.2.1, =0.1.0, =0.3.14, =0.4.63, =0.4.64 and more Source cves: CVE-2020-28500 Source advisory: SNYK:JS-LODASHES-2434289...

@across-ui/example (>=0.0.1-alpha.4 <=0.0.4-alpha.5), @agreejs/api (>=0.0.1 <=3.2.14) +709 more potentially affected by CVE-2020-8203 via lodash-es (>=4.0.0 <=4.17.2)

lodash-es NPM version =4.0.0, =0.0.1-alpha.4, =0.0.1, =0.0.2, =3.2.1, =3.2.1, =3.2.1, =0.0.1, =3.2.1, =3.2.1, =0.3.14, =0.4.63, =0.1.1, =0.5.23 and more Source cves: CVE-2020-8203 Source advisory: OSV:GHSA-P6MC-M468-83GW...

@astro-my/design-systems (>=0.3.14 <=0.4.42), @astro-my/design-systems-aw (>=0.4.63 <=0.4.64) +143 more potentially affected by CVE-2019-10744 via lodash-es (>=3.0.0 <=4.17.12)

lodash-es NPM version =3.0.0, =0.3.14, =0.4.63, =0.1.1, =0.1.1, =0.3.2-a, =0.1.0, =0.1.0, =0.1.1, =0.1.0, =0.1.0, =0.1.0, =0.5.24 - @astro-my/design-systems-xuan-ts =0.1.1 and more Source cves: CVE-2019-10744 Source advisory: OSV:GHSA-JF85-CPCP-J695...