Summary
semantic-ui-react (v2.1.5) depends on lodash-es@4.17.23, which is affected by CVE-2026-4800. This introduces a potential security risk via a transitive dependency.
Details
The vulnerability is related to unsafe object handling (prototype pollution), which may allow:
- Injection of unexpected properties into objects
- Manipulation of application logic
- Potential denial of service (DoS) or other unintended behavior depending on usage
Even if not directly exploitable within semantic-ui-react, this dependency may expose downstream applications to risk.
Reproduction
npm install semantic-ui-react@2.1.5
npm ls lodash-es
Expected
Dependency should resolve to a patched/non-vulnerable version of lodash-es.
Summary
semantic-ui-react (v2.1.5) depends on lodash-es@4.17.23, which is affected by CVE-2026-4800. This introduces a potential security risk via a transitive dependency.
Details
The vulnerability is related to unsafe object handling (prototype pollution), which may allow:
Even if not directly exploitable within semantic-ui-react, this dependency may expose downstream applications to risk.
Reproduction
Expected
Dependency should resolve to a patched/non-vulnerable version of lodash-es.