Immutable.js provides many Persistent Immutable data structures. Prior to versions 3.8.3, 4.3.7, and 5.1.5, Prototype Pollution is possible in immutable via the mergeDeep(), mergeDeepWith(), merge(), Map.toJS(), and Map.toObject() APIs. This issue has been patched in versions 3.8.3, 4.3.7, and 5.1.5.
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-29063.json
https://github.com/immutable-js/immutable-js/security/advisories/GHSA-wf6x-7x77-mvgw
https://github.com/immutable-js/immutable-js/releases/tag/v5.1.5
https://github.com/immutable-js/immutable-js/releases/tag/v4.3.8
https://github.com/immutable-js/immutable-js/releases/tag/v3.8.3
https://bugzilla.redhat.com/show_bug.cgi?id=2445291
https://access.redhat.com/security/cve/CVE-2026-29063
https://access.redhat.com/errata/RHSA-2026:9848
https://access.redhat.com/errata/RHSA-2026:9742
https://access.redhat.com/errata/RHSA-2026:8493
https://access.redhat.com/errata/RHSA-2026:8491
https://access.redhat.com/errata/RHSA-2026:8490
https://access.redhat.com/errata/RHSA-2026:8484
https://access.redhat.com/errata/RHSA-2026:8483
https://access.redhat.com/errata/RHSA-2026:8218
https://access.redhat.com/errata/RHSA-2026:7329
https://access.redhat.com/errata/RHSA-2026:6926
https://access.redhat.com/errata/RHSA-2026:6720
https://access.redhat.com/errata/RHSA-2026:6568
https://access.redhat.com/errata/RHSA-2026:6428
https://access.redhat.com/errata/RHSA-2026:36882
https://access.redhat.com/errata/RHSA-2026:36651
https://access.redhat.com/errata/RHSA-2026:34342
https://access.redhat.com/errata/RHSA-2026:34100
https://access.redhat.com/errata/RHSA-2026:34099
https://access.redhat.com/errata/RHSA-2026:34049
https://access.redhat.com/errata/RHSA-2026:29864
https://access.redhat.com/errata/RHSA-2026:29857
https://access.redhat.com/errata/RHSA-2026:28964
https://access.redhat.com/errata/RHSA-2026:28893
https://access.redhat.com/errata/RHSA-2026:27063
https://access.redhat.com/errata/RHSA-2026:26232
https://access.redhat.com/errata/RHSA-2026:26225
https://access.redhat.com/errata/RHSA-2026:24977
https://access.redhat.com/errata/RHSA-2026:24473
https://access.redhat.com/errata/RHSA-2026:23246
https://access.redhat.com/errata/RHSA-2026:22465
https://access.redhat.com/errata/RHSA-2026:21931
https://access.redhat.com/errata/RHSA-2026:21703
https://access.redhat.com/errata/RHSA-2026:21658
https://access.redhat.com/errata/RHSA-2026:21657
https://access.redhat.com/errata/RHSA-2026:20088
https://access.redhat.com/errata/RHSA-2026:20042
https://access.redhat.com/errata/RHSA-2026:20041
https://access.redhat.com/errata/RHSA-2026:20034
https://access.redhat.com/errata/RHSA-2026:19712
https://access.redhat.com/errata/RHSA-2026:19410
https://access.redhat.com/errata/RHSA-2026:19409
https://access.redhat.com/errata/RHSA-2026:19375
https://access.redhat.com/errata/RHSA-2026:17598
https://access.redhat.com/errata/RHSA-2026:17469
https://access.redhat.com/errata/RHSA-2026:13853
https://access.redhat.com/errata/RHSA-2026:13847
https://access.redhat.com/errata/RHSA-2026:13829
https://access.redhat.com/errata/RHSA-2026:13826
https://access.redhat.com/errata/RHSA-2026:13791
https://access.redhat.com/errata/RHSA-2026:13548
https://access.redhat.com/errata/RHSA-2026:13542
https://access.redhat.com/errata/RHSA-2026:12118
https://access.redhat.com/errata/RHSA-2026:11916
https://access.redhat.com/errata/RHSA-2026:11858
https://access.redhat.com/errata/RHSA-2026:11414
Published: 2026-03-06
Updated: 2026-07-15
Base Score: 10
Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C
Severity: Critical
Base Score: 9.8
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity: Critical
Base Score: 8.7
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Severity: High
EPSS: 0.00046