COOEY // HUBcompliance · community · intelligence

Exposures › CVE-2026-29063

CVE-2026-29063

Severity
critical
Source
NVD · cve
Published
2026-03-06
CVSS
9.8
Reference
https://nvd.nist.gov/vuln/detail/CVE-2026-29063
⚡ RCE shame 50/100 rce

Immutable.js provides many Persistent Immutable data structures. Prior to versions 3.8.3, 4.3.7, and 5.1.5, Prototype Pollution is possible in immutable via the mergeDeep(), mergeDeepWith(), merge(), Map.toJS(), and Map.toObject() APIs. This issue has been patched in versions 3.8

Players implicated

immutable-js · vendorimmutable · product

Description

Immutable.js provides many Persistent Immutable data structures. Prior to versions 3.8.3, 4.3.7, and 5.1.5, Prototype Pollution is possible in immutable via the mergeDeep(), mergeDeepWith(), merge(), Map.toJS(), and Map.toObject() APIs. This issue has been patched in versions 3.8.3, 4.3.7, and 5.1.5.

Affected FedRAMP products 0 in the catalog

No correlated FedRAMP products.