Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).
CVE-2021-23337 — Code Injection in Lodash
CWE-94 — Code InjectionCWE-78 — OS Command InjectionCWE-77 — Command Injection15 documents10 sources
Severity
7.2HIGHNVD
EPSS
4.3%
top 11.09%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
Timeline
PublishedFeb 15
Latest updateApr 1
Description
Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 1.2 | Impact: 5.9
Affected Packages27 packages
Patches
🔴Vulnerability Details
5💥Exploits & PoCs
1Nuclei▶
Lodash Template - Server-Side Template Injection (RCE)
📋Vendor Advisories
6Oracle▶
Oracle Oracle Financial Services Applications Risk Matrix: Studio (Lodash) — CVE-2021-23337↗2022-07-15
Oracle▶
Oracle Oracle Communications Risk Matrix: Binding Support Function (Lodash) — CVE-2021-23337↗2022-01-15
Oracle▶
Oracle Oracle Communications Applications Risk Matrix: PSR Designer (Lodash) — CVE-2021-23337↗2021-10-15
🕵️Threat Intelligence
1💬Community
1Bugzilla▶
CVE-2026-4800 lodash: lodash: Arbitrary code execution via untrusted input in template imports↗2026-03-31