THREAT OPS › Threat News › [NVD] CVE-2026-29063 (CRITICAL 9.8) — Immutable.js provides many Persistent Immutable data structures. Prior to versions 3.8.3, 4.3.7, and 5.1.5, Prototype Pollution is possible in immutable via the mergeDeep(), mergeDeepWith(), merge(), Map.toJS(), and Map.toObject() APIs. This issue has been patched in versions 3.8
[NVD] CVE-2026-29063 (CRITICAL 9.8) — Immutable.js provides many Persistent Immutable data structures. Prior to versions 3.8.3, 4.3.7, and 5.1.5, Prototype Pollution is possible in immutable via the mergeDeep(), mergeDeepWith(), merge(), Map.toJS(), and Map.toObject() APIs. This issue has been patched in versions 3.8
CVE-2026-29063 CVSS: 9.8 CRITICAL Published: 2026-03-06T19:16:21.557
Immutable.js provides many Persistent Immutable data structures. Prior to versions 3.8.3, 4.3.7, and 5.1.5, Prototype Pollution is possible in immutable via the mergeDeep(), mergeDeepWith(), merge(), Map.toJS(), and Map.toObject() APIs. This issue has been patched in versions 3.8.3, 4.3.7, and 5.1.5.
Indicators of compromise
- CVE-2026-29063cve
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-29063