THREATOPS
THREAT OPSThreat News › [NVD] CVE-2026-29063 (CRITICAL 9.8) — Immutable.js provides many Persistent Immutable data structures. Prior to versions 3.8.3, 4.3.7, and 5.1.5, Prototype Pollution is possible in immutable via the mergeDeep(), mergeDeepWith(), merge(), Map.toJS(), and Map.toObject() APIs. This issue has been patched in versions 3.8

[NVD] CVE-2026-29063 (CRITICAL 9.8) — Immutable.js provides many Persistent Immutable data structures. Prior to versions 3.8.3, 4.3.7, and 5.1.5, Prototype Pollution is possible in immutable via the mergeDeep(), mergeDeepWith(), merge(), Map.toJS(), and Map.toObject() APIs. This issue has been patched in versions 3.8

lownvdPublished 2026-03-06

CVE-2026-29063 CVSS: 9.8 CRITICAL Published: 2026-03-06T19:16:21.557

Immutable.js provides many Persistent Immutable data structures. Prior to versions 3.8.3, 4.3.7, and 5.1.5, Prototype Pollution is possible in immutable via the mergeDeep(), mergeDeepWith(), merge(), Map.toJS(), and Map.toObject() APIs. This issue has been patched in versions 3.8.3, 4.3.7, and 5.1.5.

Indicators of compromise

Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-29063