Skip to content

Security: lodash-es@4.17.23 vulnerability (CVE-2026-4800) in semantic-ui-react dependency #4538

Description

@swarnimsuman

Summary

semantic-ui-react (v2.1.5) depends on lodash-es@4.17.23, which is affected by CVE-2026-4800. This introduces a potential security risk via a transitive dependency.


Details

The vulnerability is related to unsafe object handling (prototype pollution), which may allow:

  • Injection of unexpected properties into objects
  • Manipulation of application logic
  • Potential denial of service (DoS) or other unintended behavior depending on usage

Even if not directly exploitable within semantic-ui-react, this dependency may expose downstream applications to risk.


Reproduction

npm install semantic-ui-react@2.1.5
npm ls lodash-es

Expected

Dependency should resolve to a patched/non-vulnerable version of lodash-es.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions