CVE-2026-29063CRITICAL 9.8EPSS p44.6%

CVE-2026-29063CVE-2026-29063

Description

Immutable.js provides many Persistent Immutable data structures. Prior to versions 3.8.3, 4.3.7, and 5.1.5, Prototype Pollution is possible in immutable via the mergeDeep(), mergeDeepWith(), merge(), Map.toJS(), and Map.toObject() APIs. This issue has been patched in versions 3.8.3, 4.3.7, and 5.1.5.

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS0.61% probability of exploitation · percentile 44.6% · 2026-06-19T12:03:05Z
Published2026-03-06
Last modified2026-04-17

Underlying weaknesses· 1

CWE-1321

References

  1. https://github.com/immutable-js/immutable-js/releases/tag/v3.8.3
  2. https://github.com/immutable-js/immutable-js/releases/tag/v4.3.8
  3. https://github.com/immutable-js/immutable-js/releases/tag/v5.1.5
  4. https://github.com/immutable-js/immutable-js/security/advisories/GHSA-wf6x-7x77-mvgw

1

TypeTargetConfidenceTier
WeaknessImproperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')cwe-13210%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-8657
CVE
CVE-2026-46509
CVE
CVE-2026-44291
CVE
CVE-2026-46510
CVE
CVE-2025-61140
CVE
CVE-2026-25047
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.