CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-59880

highCVSS 7.5covered by 1 sourcefirst seen 2026-07-08
Immutable.js provides many Persistent Immutable data structures. Prior to 4.3.9 and 5.1.8, Immutable.Map and Immutable.Set keep keys that share the same 32-bit hash in a HashCollisionNode collision bucket that is scanned linearly, allowing an attacker who controls keys inserted into a Map, such as through Immutable.Map(obj), Immutable.fromJS(obj), state.merge(userObject), or mergeDeep, to craft many colliding keys and degrade insertion and lookup to consume disproportionate CPU. This issue is fixed in versions 4.3.9 and 5.1.8.

⚡ Watch CVE-2026-59880

Get an email if CVE-2026-59880 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Exploitation outlook

Advisory coverage (1)

External references

NVD record for CVE-2026-59880

CVE.org record

Embed the live status

CVE-2026-59880 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-59880 status](https://www.csirts.com/badge/CVE-2026-59880)](https://www.csirts.com/cve/CVE-2026-59880)