CVE-2026-29063

high

Description

Immutable.js provides many Persistent Immutable data structures. Prior to versions 3.8.3, 4.3.7, and 5.1.5, Prototype Pollution is possible in immutable via the mergeDeep(), mergeDeepWith(), merge(), Map.toJS(), and Map.toObject() APIs. This issue has been patched in versions 3.8.3, 4.3.7, and 5.1.5.

References

https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-29063.json

https://github.com/immutable-js/immutable-js/security/advisories/GHSA-wf6x-7x77-mvgw

https://github.com/immutable-js/immutable-js/releases/tag/v5.1.5

https://github.com/immutable-js/immutable-js/releases/tag/v4.3.8

https://github.com/immutable-js/immutable-js/releases/tag/v3.8.3

https://bugzilla.redhat.com/show_bug.cgi?id=2445291

https://access.redhat.com/security/cve/CVE-2026-29063

https://access.redhat.com/errata/RHSA-2026:9848

https://access.redhat.com/errata/RHSA-2026:9742

https://access.redhat.com/errata/RHSA-2026:8493

https://access.redhat.com/errata/RHSA-2026:8491

https://access.redhat.com/errata/RHSA-2026:8490

https://access.redhat.com/errata/RHSA-2026:8484

https://access.redhat.com/errata/RHSA-2026:8483

https://access.redhat.com/errata/RHSA-2026:8218

https://access.redhat.com/errata/RHSA-2026:7329

https://access.redhat.com/errata/RHSA-2026:6926

https://access.redhat.com/errata/RHSA-2026:6720

https://access.redhat.com/errata/RHSA-2026:6568

https://access.redhat.com/errata/RHSA-2026:6428

https://access.redhat.com/errata/RHSA-2026:36882

https://access.redhat.com/errata/RHSA-2026:36651

https://access.redhat.com/errata/RHSA-2026:34342

https://access.redhat.com/errata/RHSA-2026:34100

https://access.redhat.com/errata/RHSA-2026:34099

https://access.redhat.com/errata/RHSA-2026:34049

https://access.redhat.com/errata/RHSA-2026:29864

https://access.redhat.com/errata/RHSA-2026:29857

https://access.redhat.com/errata/RHSA-2026:28964

https://access.redhat.com/errata/RHSA-2026:28893

https://access.redhat.com/errata/RHSA-2026:27063

https://access.redhat.com/errata/RHSA-2026:26232

https://access.redhat.com/errata/RHSA-2026:26225

https://access.redhat.com/errata/RHSA-2026:24977

https://access.redhat.com/errata/RHSA-2026:24473

https://access.redhat.com/errata/RHSA-2026:23246

https://access.redhat.com/errata/RHSA-2026:22465

https://access.redhat.com/errata/RHSA-2026:21931

https://access.redhat.com/errata/RHSA-2026:21703

https://access.redhat.com/errata/RHSA-2026:21658

https://access.redhat.com/errata/RHSA-2026:21657

https://access.redhat.com/errata/RHSA-2026:20088

https://access.redhat.com/errata/RHSA-2026:20042

https://access.redhat.com/errata/RHSA-2026:20041

https://access.redhat.com/errata/RHSA-2026:20034

https://access.redhat.com/errata/RHSA-2026:19712

https://access.redhat.com/errata/RHSA-2026:19410

https://access.redhat.com/errata/RHSA-2026:19409

https://access.redhat.com/errata/RHSA-2026:19375

https://access.redhat.com/errata/RHSA-2026:17598

https://access.redhat.com/errata/RHSA-2026:17469

https://access.redhat.com/errata/RHSA-2026:13853

https://access.redhat.com/errata/RHSA-2026:13847

https://access.redhat.com/errata/RHSA-2026:13829

https://access.redhat.com/errata/RHSA-2026:13826

https://access.redhat.com/errata/RHSA-2026:13791

https://access.redhat.com/errata/RHSA-2026:13548

https://access.redhat.com/errata/RHSA-2026:13542

https://access.redhat.com/errata/RHSA-2026:12118

https://access.redhat.com/errata/RHSA-2026:11916

https://access.redhat.com/errata/RHSA-2026:11858

https://access.redhat.com/errata/RHSA-2026:11414

https://access.redhat.com/errata/RHSA-2026:11217

https://access.redhat.com/errata/RHSA-2026:11070

Details

Source: Mitre, NVD

Published: 2026-03-06

Updated: 2026-07-15

Risk Information

CVSS v2

Base Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Severity: Critical

CVSS v3

Base Score: 9.8

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Severity: Critical

CVSS v4

Base Score: 8.7

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Severity: High

EPSS

EPSS: 0.00046