CVE-2026-4800
published 2026-03-31CVE-2026-4800: Impact: The fix for CVE-2021-23337 (https://github.com/advisories/GHSA-35jh-r3h4-6jhm) added validation for the variable option in _.template but did not apply…
PriorityP264critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.74%
74.8th percentile
Impact:
The fix for CVE-2021-23337 (https://github.com/advisories/GHSA-35jh-r3h4-6jhm) added validation for the variable option in _.template but did not apply the same validation to options.imports key names. Both paths flow into the same Function() constructor sink.
When an application passes untrusted input as options.imports key names, an attacker can inject default-parameter expressions that execute arbitrary code at template compilation time.
Additionally, _.template uses assignInWith to merge imports, which enumerates inherited properties via for..in. If Object.prototype has been polluted by any other vector, the polluted keys are copied into the imports object and passed to Function().
Patches:
Users should upgrade to version 4.18.0.
Workarounds:
Do not pass untrusted input as key names in options.imports. Only use developer-controlled, static key names.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | node-lodash | < node-lodash 4.18.1+dfsg-1 (forky) | node-lodash 4.18.1+dfsg-1 (forky) |
| lodash | lodash | >= 4.0.0 < 4.18.0 | 4.18.0 |
| lodash | lodash | >= 4.0.0 < 4.18.0 | 4.18.0 |
| lodash | lodash-amd | >= 4.0.0 < 4.18.0 | 4.18.0 |
| lodash | lodash-es | >= 4.0.0 < 4.18.0 | 4.18.0 |
| lodash | lodash-es | >= 4.0.0 < 4.18.0 | 4.18.0 |
| lodash | lodash.template | >= 4.0.0 < 4.18.0 | 4.18.0 |
| lodash | lodash.template | >= 4.0.0 < 4.18.0 | 4.18.0 |
| ubuntu | node-lodash | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Attacker-controlled key names in options.imports passed to _.template() flow into the Function() constructor sink, enabling arbitrary code execution at template compilation time — monitor for dynamic/untrusted strings used as options.imports key names in lodash _.template calls ↗
- →The exploit path requires Object.prototype pollution as a secondary vector — if prototype pollution is detected elsewhere, treat lodash _.template usage as additionally at risk because polluted keys are enumerated via for..in and passed to Function() ↗
- →The vulnerable sink is the Function() constructor invoked during lodash template compilation — audit/instrument Function() constructor calls originating from lodash template internals as a detection point ↗
- →The incomplete fix for CVE-2021-23337 (GHSA-35jh-r3h4-6jhm) only patched the 'variable' option path; the options.imports key-name path remained unpatched — detection should cover both the variable option and imports key names as injection points in _.template ↗
- ·In Red Hat Enterprise Linux, grafana and grafana-pcp execute the affected lodash JavaScript entirely client-side in the user's browser, restricting the attack surface to the local browser environment only ↗
- ·cachelib ships the affected JavaScript only as part of its website; the files are not included in binary RPMs, so the attack surface for that package is limited to the web context ↗
- ·The fix is available in lodash 4.18.0 (NVD/RH advisory) and 4.18.1+dfsg-1 (Debian); Debian forky/sid are resolved while bookworm, bullseye, and trixie remain open ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
ghsa7.2HIGH
osv7.2HIGH
vendor_debian7.2HIGH
vendor_redhat7.2HIGH
vendor_ubuntu5.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Lodash up to 4.17.x Parameter Function options.imports code injection (GHSA-35jh-r3h4-6jhm / Nessus ID 304625)
vuldb·2026-05-06·CVSS 9.8
CVE-2026-4800 [CRITICAL] Lodash up to 4.17.x Parameter Function options.imports code injection (GHSA-35jh-r3h4-6jhm / Nessus ID 304625)
A vulnerability was found in Lodash up to 4.17.x and classified as critical. Affected by this issue is the function Function of the component Parameter Handler. The manipulation of the argument options.imports results in code injection.
This vulnerability was named CVE-2026-4800. The attack may be performed from remote. There is no available exploit.
It is suggested to upgrade the affected component.
GHSA
lodash vulnerable to Code Injection via `_.template` imports key names
ghsa·2026-04-01·CVSS 7.2
CVE-2026-4800 [HIGH] CWE-94 lodash vulnerable to Code Injection via `_.template` imports key names
lodash vulnerable to Code Injection via `_.template` imports key names
### Impact
The fix for [CVE-2021-23337](https://github.com/advisories/GHSA-35jh-r3h4-6jhm) added validation for the `variable` option in `_.template` but did not apply the same validation to `options.imports` key names. Both paths flow into the same `Function()` constructor sink.
When an application passes untrusted input as `options.imports` key names, an attacker can inject default-parameter expressions that execute arbitrary code at template compilation time.
Additionally, `_.template` uses `assignInWith` to merge imports, which enumerates inherited properties via `for..in`. If `Object.prototype` has been polluted by any other vector, the polluted keys are copied into the imports object and passed to `Function()`
OSV
lodash vulnerable to Code Injection via `_.template` imports key names
osv·2026-04-01·CVSS 7.2
CVE-2026-4800 [HIGH] lodash vulnerable to Code Injection via `_.template` imports key names
lodash vulnerable to Code Injection via `_.template` imports key names
### Impact
The fix for [CVE-2021-23337](https://github.com/advisories/GHSA-35jh-r3h4-6jhm) added validation for the `variable` option in `_.template` but did not apply the same validation to `options.imports` key names. Both paths flow into the same `Function()` constructor sink.
When an application passes untrusted input as `options.imports` key names, an attacker can inject default-parameter expressions that execute arbitrary code at template compilation time.
Additionally, `_.template` uses `assignInWith` to merge imports, which enumerates inherited properties via `for..in`. If `Object.prototype` has been polluted by any other vector, the polluted keys are copied into the imports object and passed to `Function()`
OSV
CVE-2026-4800: Impact: The fix for CVE-2021-23337 (https://github
osv·2026-03-31·CVSS 7.2
CVE-2026-4800 [HIGH] CVE-2026-4800: Impact: The fix for CVE-2021-23337 (https://github
Impact: The fix for CVE-2021-23337 (https://github.com/advisories/GHSA-35jh-r3h4-6jhm) added validation for the variable option in _.template but did not apply the same validation to options.imports key names. Both paths flow into the same Function() constructor sink. When an application passes untrusted input as options.imports key names, an attacker can inject default-parameter expressions that execute arbitrary code at template compilation time. Additionally, _.template uses assignInWith to merge imports, which enumerates inherited properties via for..in. If Object.prototype has been polluted by any other vector, the polluted keys are copied into the imports object and passed to Function(). Patches: Users should upgrade to version 4.18.0. Workarounds: Do not pass untrusted input as key
Ubuntu
Lodash vulnerabilities
vendor_ubuntu·2026-06-09·CVSS 5.3
CVE-2025-13465 [MEDIUM] Lodash vulnerabilities
Title: Lodash vulnerabilities
Summary: Several security issues were fixed in Lodash.
It was discovered that Lodash was vulnerable to a prototype pollution
issue in the zipObjectDeep function. An attacker could possibly use this
issue to modify application behavior. This issue only affected Ubuntu
18.04 LTS and Ubuntu 20.04 LTS. (CVE-2020-8203)
Liyuan Chen discovered that Lodash was vulnerable to a regular
expression denial of service issue in the toNumber, trim, and trimEnd
functions. An attacker could possibly use this issue to consume
excessive system resources, resulting in a denial of service. This issue
only affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. (CVE-2020-28500)
Marc Hassan discovered that Lodash did not properly sanitize input to
the template function. An attacker could
Red Hat
lodash: lodash: Arbitrary code execution via untrusted input in template imports
vendor_redhat·2026-03-31·CVSS 7.2
CVE-2026-4800 [HIGH] CWE-94 lodash: lodash: Arbitrary code execution via untrusted input in template imports
lodash: lodash: Arbitrary code execution via untrusted input in template imports
Impact:
The fix for CVE-2021-23337 (https://github.com/advisories/GHSA-35jh-r3h4-6jhm) added validation for the variable option in _.template but did not apply the same validation to options.imports key names. Both paths flow into the same Function() constructor sink.
When an application passes untrusted input as options.imports key names, an attacker can inject default-parameter expressions that execute arbitrary code at template compilation time.
Additionally, _.template uses assignInWith to merge imports, which enumerates inherited properties via for..in. If Object.prototype has been polluted by any other vector, the polluted keys are copied into the imports object and passed to Function().
Patches:
Users
Debian
CVE-2026-4800: node-lodash - Impact: The fix for CVE-2021-23337 (https://github.com/advisories/GHSA-35jh-r3h...
vendor_debian·2026·CVSS 7.2
CVE-2026-4800 [HIGH] CVE-2026-4800: node-lodash - Impact: The fix for CVE-2021-23337 (https://github.com/advisories/GHSA-35jh-r3h...
Impact: The fix for CVE-2021-23337 (https://github.com/advisories/GHSA-35jh-r3h4-6jhm) added validation for the variable option in _.template but did not apply the same validation to options.imports key names. Both paths flow into the same Function() constructor sink. When an application passes untrusted input as options.imports key names, an attacker can inject default-parameter expressions that execute arbitrary code at template compilation time. Additionally, _.template uses assignInWith to merge imports, which enumerates inherited properties via for..in. If Object.prototype has been polluted by any other vector, the polluted keys are copied into the imports object and passed to Function(). Patches: Users should upgrade to version 4.18.0. Workarounds: Do not pass untrusted input as key
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-4800 python-jupyterlab-widgets: lodash: Arbitrary code execution via untrusted input in template imports [epel-all]
bugzilla·2026-04-01·CVSS 9.8
CVE-2026-4800 [CRITICAL] CVE-2026-4800 python-jupyterlab-widgets: lodash: Arbitrary code execution via untrusted input in template imports [epel-all]
CVE-2026-4800 python-jupyterlab-widgets: lodash: Arbitrary code execution via untrusted input in template imports [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-4800 prometheus: lodash: Arbitrary code execution via untrusted input in template imports [fedora-all]
bugzilla·2026-04-01·CVSS 8.1
CVE-2026-4800 [HIGH] CVE-2026-4800 prometheus: lodash: Arbitrary code execution via untrusted input in template imports [fedora-all]
CVE-2026-4800 prometheus: lodash: Arbitrary code execution via untrusted input in template imports [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
FEDORA-EPEL-2026-1ce4512bd4 (prometheus-3.11.0-1.el10_3) has been submitted as an update to Fedora EPEL 10.3.
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2026-1ce4512bd4
---
FEDORA-EPEL-2026-1ce4512bd4 has been pushed to the Fedora EPEL 10.3 testing repository.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2026-1ce4512bd4
See also https://fedoraproject.org/wiki/QA:Updates_Testing f
Bugzilla
CVE-2026-4800 cachelib: lodash: Arbitrary code execution via untrusted input in template imports [fedora-all]
bugzilla·2026-04-01·CVSS 8.1
CVE-2026-4800 [HIGH] CVE-2026-4800 cachelib: lodash: Arbitrary code execution via untrusted input in template imports [fedora-all]
CVE-2026-4800 cachelib: lodash: Arbitrary code execution via untrusted input in template imports [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This project only ships JavaScript code as part of the website, the files are not shipped in the binary RPMs
Bugzilla
CVE-2026-4800 cachelib: lodash: Arbitrary code execution via untrusted input in template imports [epel-all]
bugzilla·2026-04-01·CVSS 8.1
CVE-2026-4800 [HIGH] CVE-2026-4800 cachelib: lodash: Arbitrary code execution via untrusted input in template imports [epel-all]
CVE-2026-4800 cachelib: lodash: Arbitrary code execution via untrusted input in template imports [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This project only ships JavaScript code as part of the website, the files are not shipped in the binary RPMs
Bugzilla
CVE-2026-4800 nextcloud: lodash: Arbitrary code execution via untrusted input in template imports [fedora-all]
bugzilla·2026-04-01·CVSS 9.8
CVE-2026-4800 [CRITICAL] CVE-2026-4800 nextcloud: lodash: Arbitrary code execution via untrusted input in template imports [fedora-all]
CVE-2026-4800 nextcloud: lodash: Arbitrary code execution via untrusted input in template imports [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
FEDORA-2026-cb5661d883 (nextcloud-33.0.3-1.fc44) has been submitted as an update to Fedora 44.
https://bodhi.fedoraproject.org/updates/FEDORA-2026-cb5661d883
---
FEDORA-EPEL-2026-f7ea7872a6 (nextcloud-33.0.3-1.el10_3) has been submitted as an update to Fedora EPEL 10.3.
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2026-f7ea7872a6
---
FEDORA-EPEL-2026-6610e2eca4 (nextcloud-33.0.3-1.el10_2) has been submitted as an update to Fedora EPEL
Bugzilla
CVE-2026-4800 mozjs78: lodash: Arbitrary code execution via untrusted input in template imports [epel-all]
bugzilla·2026-04-01·CVSS 9.8
CVE-2026-4800 [CRITICAL] CVE-2026-4800 mozjs78: lodash: Arbitrary code execution via untrusted input in template imports [epel-all]
CVE-2026-4800 mozjs78: lodash: Arbitrary code execution via untrusted input in template imports [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
Closing CVE bug as not relevant to the mozjs package, and there is sadly no option to opt out from these reports :( .
Bugzilla
CVE-2026-4800 cockpit-podman: lodash: Arbitrary code execution via untrusted input in template imports [fedora-all]
bugzilla·2026-04-01·CVSS 9.8
CVE-2026-4800 [CRITICAL] CVE-2026-4800 cockpit-podman: lodash: Arbitrary code execution via untrusted input in template imports [fedora-all]
CVE-2026-4800 cockpit-podman: lodash: Arbitrary code execution via untrusted input in template imports [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
lodash was updated to 4.18.1 in cockpit-podman 125.
Bugzilla
CVE-2026-4800 glances: lodash: Arbitrary code execution via untrusted input in template imports [epel-all]
bugzilla·2026-04-01·CVSS 9.8
CVE-2026-4800 [CRITICAL] CVE-2026-4800 glances: lodash: Arbitrary code execution via untrusted input in template imports [epel-all]
CVE-2026-4800 glances: lodash: Arbitrary code execution via untrusted input in template imports [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This package has changed maintainer in Fedora. Reassigning to the new maintainer of this component.
Bugzilla
CVE-2026-4800 pgadmin4: lodash: Arbitrary code execution via untrusted input in template imports [fedora-all]
bugzilla·2026-04-01·CVSS 8.1
CVE-2026-4800 [HIGH] CVE-2026-4800 pgadmin4: lodash: Arbitrary code execution via untrusted input in template imports [fedora-all]
CVE-2026-4800 pgadmin4: lodash: Arbitrary code execution via untrusted input in template imports [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
FEDORA-2026-5e39475fb3 (pgadmin4-9.14-1.fc42) has been submitted as an update to Fedora 42.
https://bodhi.fedoraproject.org/updates/FEDORA-2026-5e39475fb3
---
FEDORA-2026-e54aebce7c (pgadmin4-9.14-1.fc44) has been submitted as an update to Fedora 44.
https://bodhi.fedoraproject.org/updates/FEDORA-2026-e54aebce7c
---
FEDORA-2026-5e39475fb3 has been pushed to the Fedora 42 testing repository.
Soon you'll be able to install the update with the fo
Bugzilla
CVE-2026-4800 python-jupyterlab-widgets: lodash: Arbitrary code execution via untrusted input in template imports [fedora-all]
bugzilla·2026-04-01·CVSS 9.8
CVE-2026-4800 [CRITICAL] CVE-2026-4800 python-jupyterlab-widgets: lodash: Arbitrary code execution via untrusted input in template imports [fedora-all]
CVE-2026-4800 python-jupyterlab-widgets: lodash: Arbitrary code execution via untrusted input in template imports [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
jupyterlab_widgets bundles only lodash.isEqual (and its internal dependencies) via backbone.js. The _.template() function and all code paths leading to the vulnerable Function() constructor call are not compiled into the shipped static bundle. The templateSettings symbol present in the bundle belongs to underscore.js (backbone's dependency), not lodash.
Bugzilla
CVE-2026-4800 pcs: lodash: Arbitrary code execution via untrusted input in template imports [fedora-all]
bugzilla·2026-04-01·CVSS 9.8
CVE-2026-4800 [CRITICAL] CVE-2026-4800 pcs: lodash: Arbitrary code execution via untrusted input in template imports [fedora-all]
CVE-2026-4800 pcs: lodash: Arbitrary code execution via untrusted input in template imports [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
Upstream fix: https://github.com/ClusterLabs/pcs-web-ui/commit/0afc9b832a6dddc00c523a78abbda5ccbf6675b1
Bugzilla
CVE-2026-4800 ansible: lodash: Arbitrary code execution via untrusted input in template imports [epel-all]
bugzilla·2026-04-01·CVSS 9.8
CVE-2026-4800 [CRITICAL] CVE-2026-4800 ansible: lodash: Arbitrary code execution via untrusted input in template imports [epel-all]
CVE-2026-4800 ansible: lodash: Arbitrary code execution via untrusted input in template imports [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-4800 python-torch: lodash: Arbitrary code execution via untrusted input in template imports [epel-all]
bugzilla·2026-04-01·CVSS 8.1
CVE-2026-4800 [HIGH] CVE-2026-4800 python-torch: lodash: Arbitrary code execution via untrusted input in template imports [epel-all]
CVE-2026-4800 python-torch: lodash: Arbitrary code execution via untrusted input in template imports [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
I'm closing with the view that while this may be present in build inputs, as far as I am aware this JavaScript Library does not appear in the Python code or compiled objects output by our build process.
Bugzilla
CVE-2026-4800 ansible: lodash: Arbitrary code execution via untrusted input in template imports [fedora-all]
bugzilla·2026-04-01·CVSS 9.8
CVE-2026-4800 [CRITICAL] CVE-2026-4800 ansible: lodash: Arbitrary code execution via untrusted input in template imports [fedora-all]
CVE-2026-4800 ansible: lodash: Arbitrary code execution via untrusted input in template imports [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-4800 python-jupyterlab_pygments: lodash: Arbitrary code execution via untrusted input in template imports [epel-all]
bugzilla·2026-04-01·CVSS 9.8
CVE-2026-4800 [CRITICAL] CVE-2026-4800 python-jupyterlab_pygments: lodash: Arbitrary code execution via untrusted input in template imports [epel-all]
CVE-2026-4800 python-jupyterlab_pygments: lodash: Arbitrary code execution via untrusted input in template imports [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-4800 jupyterlab: lodash: Arbitrary code execution via untrusted input in template imports [fedora-all]
bugzilla·2026-04-01·CVSS 9.8
CVE-2026-4800 [CRITICAL] CVE-2026-4800 jupyterlab: lodash: Arbitrary code execution via untrusted input in template imports [fedora-all]
CVE-2026-4800 jupyterlab: lodash: Arbitrary code execution via untrusted input in template imports [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
_.template() and its Function() constructor call are not present in the browser bundle (tree-shaken). Not exploitable.
Bugzilla
CVE-2026-4800 prometheus: lodash: Arbitrary code execution via untrusted input in template imports [epel-all]
bugzilla·2026-04-01·CVSS 8.1
CVE-2026-4800 [HIGH] CVE-2026-4800 prometheus: lodash: Arbitrary code execution via untrusted input in template imports [epel-all]
CVE-2026-4800 prometheus: lodash: Arbitrary code execution via untrusted input in template imports [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
FEDORA-EPEL-2026-1ce4512bd4 (prometheus-3.11.0-1.el10_3) has been submitted as an update to Fedora EPEL 10.3.
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2026-1ce4512bd4
---
FEDORA-EPEL-2026-1ce4512bd4 has been pushed to the Fedora EPEL 10.3 testing repository.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2026-1ce4512bd4
See also https://fedoraproject.org/wiki/QA:Updates_Testing for
Bugzilla
CVE-2026-4800 mozjs140: lodash: Arbitrary code execution via untrusted input in template imports [fedora-all]
bugzilla·2026-04-01·CVSS 9.8
CVE-2026-4800 [CRITICAL] CVE-2026-4800 mozjs140: lodash: Arbitrary code execution via untrusted input in template imports [fedora-all]
CVE-2026-4800 mozjs140: lodash: Arbitrary code execution via untrusted input in template imports [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
Closing CVE bug as not relevant to the mozjs package, and there is sadly no option to opt out from these reports :( .
Bugzilla
CVE-2026-4800 python-jupytext: lodash: Arbitrary code execution via untrusted input in template imports [fedora-all]
bugzilla·2026-04-01·CVSS 9.8
CVE-2026-4800 [CRITICAL] CVE-2026-4800 python-jupytext: lodash: Arbitrary code execution via untrusted input in template imports [fedora-all]
CVE-2026-4800 python-jupytext: lodash: Arbitrary code execution via untrusted input in template imports [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
FEDORA-2026-301cbbe347 (python-jupytext-1.19.1-4.fc44) has been submitted as an update to Fedora 44.
https://bodhi.fedoraproject.org/updates/FEDORA-2026-301cbbe347
---
FEDORA-2026-85b819b928 (python-jupytext-1.19.1-4.fc43) has been submitted as an update to Fedora 43.
https://bodhi.fedoraproject.org/updates/FEDORA-2026-85b819b928
---
FEDORA-2026-793b55138d (python-jupytext-1.19.1-4.fc42) has been submitted as an update to Fedora 42.
htt
Bugzilla
CVE-2026-4800 fbthrift: lodash: Arbitrary code execution via untrusted input in template imports [fedora-all]
bugzilla·2026-04-01·CVSS 8.1
CVE-2026-4800 [HIGH] CVE-2026-4800 fbthrift: lodash: Arbitrary code execution via untrusted input in template imports [fedora-all]
CVE-2026-4800 fbthrift: lodash: Arbitrary code execution via untrusted input in template imports [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This project only ships JavaScript code as part of the website, the files are not shipped in the binary RPMs
Bugzilla
CVE-2026-4800 cockpit-files: lodash: Arbitrary code execution via untrusted input in template imports [fedora-all]
bugzilla·2026-04-01·CVSS 9.8
CVE-2026-4800 [CRITICAL] CVE-2026-4800 cockpit-files: lodash: Arbitrary code execution via untrusted input in template imports [fedora-all]
CVE-2026-4800 cockpit-files: lodash: Arbitrary code execution via untrusted input in template imports [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This was fixed in cockpit-files-40-1.fc45
Bugzilla
CVE-2026-4800 nextcloud: lodash: Arbitrary code execution via untrusted input in template imports [epel-all]
bugzilla·2026-04-01·CVSS 9.8
CVE-2026-4800 [CRITICAL] CVE-2026-4800 nextcloud: lodash: Arbitrary code execution via untrusted input in template imports [epel-all]
CVE-2026-4800 nextcloud: lodash: Arbitrary code execution via untrusted input in template imports [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
FEDORA-2026-cb5661d883 (nextcloud-33.0.3-1.fc44) has been submitted as an update to Fedora 44.
https://bodhi.fedoraproject.org/updates/FEDORA-2026-cb5661d883
---
FEDORA-EPEL-2026-f7ea7872a6 (nextcloud-33.0.3-1.el10_3) has been submitted as an update to Fedora EPEL 10.3.
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2026-f7ea7872a6
---
FEDORA-EPEL-2026-6610e2eca4 (nextcloud-33.0.3-1.el10_2) has been submitted as an update to Fedora EPEL 10
Bugzilla
CVE-2026-4800 python-jupyterlab_pygments: lodash: Arbitrary code execution via untrusted input in template imports [fedora-all]
bugzilla·2026-04-01·CVSS 9.8
CVE-2026-4800 [CRITICAL] CVE-2026-4800 python-jupyterlab_pygments: lodash: Arbitrary code execution via untrusted input in template imports [fedora-all]
CVE-2026-4800 python-jupyterlab_pygments: lodash: Arbitrary code execution via untrusted input in template imports [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
lodash appears in yarn.lock as a transitive build-time dependency (pulled in by @jupyterlab/builder), but is entirely absent from the shipped browser bundle. third-party-licenses.json confirms it. CVE doesn't apply.
Bugzilla
CVE-2026-4800 glances: lodash: Arbitrary code execution via untrusted input in template imports [fedora-all]
bugzilla·2026-04-01·CVSS 9.8
CVE-2026-4800 [CRITICAL] CVE-2026-4800 glances: lodash: Arbitrary code execution via untrusted input in template imports [fedora-all]
CVE-2026-4800 glances: lodash: Arbitrary code execution via untrusted input in template imports [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This package has changed maintainer in Fedora. Reassigning to the new maintainer of this component.
Bugzilla
CVE-2026-4800 goose: lodash: Arbitrary code execution via untrusted input in template imports [fedora-all]
bugzilla·2026-04-01·CVSS 9.8
CVE-2026-4800 [CRITICAL] CVE-2026-4800 goose: lodash: Arbitrary code execution via untrusted input in template imports [fedora-all]
CVE-2026-4800 goose: lodash: Arbitrary code execution via untrusted input in template imports [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
After investigations from Martin Litwora (QE in my team), we concluded that goose is not directly affected by this, since it is not using any of the affected functions.
Bugzilla
CVE-2026-4800 cockpit-machines: lodash: Arbitrary code execution via untrusted input in template imports [fedora-all]
bugzilla·2026-04-01·CVSS 9.8
CVE-2026-4800 [CRITICAL] CVE-2026-4800 cockpit-machines: lodash: Arbitrary code execution via untrusted input in template imports [fedora-all]
CVE-2026-4800 cockpit-machines: lodash: Arbitrary code execution via untrusted input in template imports [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This does not affect cockpit-machines as it requires arbitrary code execution in the browser already via XSS. Meanwhile we have updated lodash to >= 4.18.1 in cockpit-machines 352 which resolves this issue.
Bugzilla
CVE-2026-4800 python-torch: lodash: Arbitrary code execution via untrusted input in template imports [fedora-all]
bugzilla·2026-04-01·CVSS 8.1
CVE-2026-4800 [HIGH] CVE-2026-4800 python-torch: lodash: Arbitrary code execution via untrusted input in template imports [fedora-all]
CVE-2026-4800 python-torch: lodash: Arbitrary code execution via untrusted input in template imports [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
As far as I am aware the vulnerable lodash code is not shipped in the python-torch package.
Bugzilla
CVE-2026-4800 fbthrift: lodash: Arbitrary code execution via untrusted input in template imports [epel-all]
bugzilla·2026-04-01·CVSS 8.1
CVE-2026-4800 [HIGH] CVE-2026-4800 fbthrift: lodash: Arbitrary code execution via untrusted input in template imports [epel-all]
CVE-2026-4800 fbthrift: lodash: Arbitrary code execution via untrusted input in template imports [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This project only ships JavaScript code as part of the website, the files are not shipped in the binary RPMs
Bugzilla
CVE-2026-4800 yarnpkg: lodash: Arbitrary code execution via untrusted input in template imports [fedora-all]
bugzilla·2026-04-01·CVSS 8.1
CVE-2026-4800 [HIGH] CVE-2026-4800 yarnpkg: lodash: Arbitrary code execution via untrusted input in template imports [fedora-all]
CVE-2026-4800 yarnpkg: lodash: Arbitrary code execution via untrusted input in template imports [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
FEDORA-2026-085abeea02 (yarnpkg-1.22.22-18.fc43) has been submitted as an update to Fedora 43.
https://bodhi.fedoraproject.org/updates/FEDORA-2026-085abeea02
---
FEDORA-2026-7a6943e57d (yarnpkg-1.22.22-18.fc42) has been submitted as an update to Fedora 42.
https://bodhi.fedoraproject.org/updates/FEDORA-2026-7a6943e57d
---
FEDORA-EPEL-2026-7f228e17b9 (yarnpkg-1.22.22-18.el10_3) has been submitted as an update to Fedora EPEL 10.3.
https://bodhi.f
Bugzilla
CVE-2026-4800 subscription-manager-cockpit: lodash: Arbitrary code execution via untrusted input in template imports [fedora-all]
bugzilla·2026-04-01·CVSS 9.8
CVE-2026-4800 [CRITICAL] CVE-2026-4800 subscription-manager-cockpit: lodash: Arbitrary code execution via untrusted input in template imports [fedora-all]
CVE-2026-4800 subscription-manager-cockpit: lodash: Arbitrary code execution via untrusted input in template imports [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
Resolved in the latest release:
[root@fedora-rawhide-127-0-0-2-2201 ~]# rpm -q --provides subscription-manager-cockpit
application()
application(subscription-manager-cockpit.desktop)
bundled(npm(@patternfly/react-core)) = 6.4.1
bundled(npm(@patternfly/react-icons)) = 6.4.0
bundled(npm(@patternfly/react-styles)) = 6.4.0
bundled(npm(@patternfly/react-table)) = 6.4.1
bundled(npm(@patternfly/react-tokens)) = 6.4.0
bundled(npm(focu
Bugzilla
CVE-2026-4800 mozjs128: lodash: Arbitrary code execution via untrusted input in template imports [fedora-all]
bugzilla·2026-04-01·CVSS 9.8
CVE-2026-4800 [CRITICAL] CVE-2026-4800 mozjs128: lodash: Arbitrary code execution via untrusted input in template imports [fedora-all]
CVE-2026-4800 mozjs128: lodash: Arbitrary code execution via untrusted input in template imports [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
Closing CVE bug as not relevant to the mozjs package, and there is sadly no option to opt out from these reports :( .
Bugzilla
CVE-2026-4800 openbao: lodash: Arbitrary code execution via untrusted input in template imports [fedora-all]
bugzilla·2026-04-01·CVSS 8.1
CVE-2026-4800 [HIGH] CVE-2026-4800 openbao: lodash: Arbitrary code execution via untrusted input in template imports [fedora-all]
CVE-2026-4800 openbao: lodash: Arbitrary code execution via untrusted input in template imports [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
OpenBao does not have any server-side javascript so this vulnerability is not applicable.
Bugzilla
CVE-2026-4800 openbao: lodash: Arbitrary code execution via untrusted input in template imports [epel-all]
bugzilla·2026-04-01·CVSS 8.1
CVE-2026-4800 [HIGH] CVE-2026-4800 openbao: lodash: Arbitrary code execution via untrusted input in template imports [epel-all]
CVE-2026-4800 openbao: lodash: Arbitrary code execution via untrusted input in template imports [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
OpenBao does not have any server-side javascript so this vulnerability is not applicable.
Bugzilla
CVE-2026-4800 goose: lodash: Arbitrary code execution via untrusted input in template imports [epel-all]
bugzilla·2026-04-01·CVSS 9.8
CVE-2026-4800 [CRITICAL] CVE-2026-4800 goose: lodash: Arbitrary code execution via untrusted input in template imports [epel-all]
CVE-2026-4800 goose: lodash: Arbitrary code execution via untrusted input in template imports [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
After investigations of Rodolfo Olivieri and Martin Litwora, we concluded that goose is not directly affected by this, since it is not using any of the affected functions.
Bugzilla
CVE-2026-4800 anaconda-webui: lodash: Arbitrary code execution via untrusted input in template imports [fedora-all]
bugzilla·2026-04-01·CVSS 9.8
CVE-2026-4800 [CRITICAL] CVE-2026-4800 anaconda-webui: lodash: Arbitrary code execution via untrusted input in template imports [fedora-all]
CVE-2026-4800 anaconda-webui: lodash: Arbitrary code execution via untrusted input in template imports [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
Will need the same triaging with https://bugzilla.redhat.com/show_bug.cgi?id=2454006
Bugzilla
CVE-2026-4800 cockpit: lodash: Arbitrary code execution via untrusted input in template imports [fedora-all]
bugzilla·2026-04-01·CVSS 8.1
CVE-2026-4800 [HIGH] CVE-2026-4800 cockpit: lodash: Arbitrary code execution via untrusted input in template imports [fedora-all]
CVE-2026-4800 cockpit: lodash: Arbitrary code execution via untrusted input in template imports [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This is almost surely a N/A for cockpit and the similar bugs filed against the other projects. Alexandra, can you please find someone to triage this? Thanks!
Bugzilla
CVE-2026-4800 openqa: lodash: Arbitrary code execution via untrusted input in template imports [fedora-all]
bugzilla·2026-04-01·CVSS 9.8
CVE-2026-4800 [CRITICAL] CVE-2026-4800 openqa: lodash: Arbitrary code execution via untrusted input in template imports [fedora-all]
CVE-2026-4800 openqa: lodash: Arbitrary code execution via untrusted input in template imports [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
openQA only uses lodash via dagre(-d3), and AFAICS, the versions of dagre(-d3) used by openQA never uss the affected options.imports feature:
[adamw@toolbx fedora-toolbox-43 dagre ((v0.8.5))]$ grep -R imports
[adamw@toolbx fedora-toolbox-43 dagre ((v0.8.5))]$
[adamw@toolbx fedora-toolbox-43 dagre-d3 ((v0.6.4))]$ grep -R imports
[adamw@toolbx fedora-toolbox-43 dagre-d3 ((v0.6.4))]$
so I don't think this is a practical issue for openQA. I'll still
Bugzilla
CVE-2026-4800 qt5-qtbase: lodash: Arbitrary code execution via untrusted input in template imports [fedora-all]
bugzilla·2026-04-01·CVSS 8.1
CVE-2026-4800 [HIGH] CVE-2026-4800 qt5-qtbase: lodash: Arbitrary code execution via untrusted input in template imports [fedora-all]
CVE-2026-4800 qt5-qtbase: lodash: Arbitrary code execution via untrusted input in template imports [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
It's not affected as util/gradientgen/gradientgen.js is the only file referencing lodash. This script is not utilized during the standard build process of qt5-qtbase, nor is it triggered by any internal Qt5 logic. It is not included in the binary packages
Bugzilla
CVE-2026-4800 lodash: lodash: Arbitrary code execution via untrusted input in template imports
bugzilla·2026-03-31·CVSS 7.2
CVE-2026-4800 [HIGH] CVE-2026-4800 lodash: lodash: Arbitrary code execution via untrusted input in template imports
CVE-2026-4800 lodash: lodash: Arbitrary code execution via untrusted input in template imports
Impact:
The fix for CVE-2021-23337 (https://github.com/advisories/GHSA-35jh-r3h4-6jhm) added validation for the variable option in _.template but did not apply the same validation to options.imports key names. Both paths flow into the same Function() constructor sink.
When an application passes untrusted input as options.imports key names, an attacker can inject default-parameter expressions that execute arbitrary code at template compilation time.
Additionally, _.template uses assignInWith to merge imports, which enumerates inherited properties via for..in. If Object.prototype has been polluted by any other vector, the polluted keys are copied into the imports object and passed to Function()
Wiz
CVE-2026-28375 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2026-28375 [MEDIUM] CVE-2026-28375 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-28375 :
Grafana vulnerability analysis and mitigation
A testdata data-source can be used to trigger out-of-memory crashes in Grafana.
Source : NVD
## 6.5
Score
Published March 27, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
Grafana
Linux Red Hat
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 3.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
grafana-mssql
grafana-stackdriver
Sources
Chainguard Has Fix Added at: Mar 29, 2026
Homebrew Severity MEDIUM Has Fix Added at: Apr 05, 2026
Nix Severity MEDIUM Has Fix Added at: Apr 05, 2026
Red Hat 8, 9, 10 Severity MEDIUM No Fix Added at: Mar 29, 2026
Linux Severity MEDIUM Has Fix Added at
Wiz
CVE-2026-27137 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-27137 [HIGH] CVE-2026-27137 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27137 :
Grafana vulnerability analysis and mitigation
When verifying a certificate chain which contains a certificate containing multiple email address constraints which share common local portions but different domain portions, these constraints will not be properly applied, and only the last constraint will be considered.
Source : NVD
## 7.5
Score
Published March 6, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
Grafana
HashiCorp Vault
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
golang-misc
container-tools:rhel8::buildah
Sources
NVD
Alpine 3.23 Severity HIGH Has Fix Added at: Mar 0
Wiz
CVE-2026-21721 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
CVE-2026-21721 [HIGH] CVE-2026-21721 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-21721 :
Grafana vulnerability analysis and mitigation
The dashboard permissions API does not verify the target dashboard scope and only checks the dashboards.permissions:* action. As a result, a user who has permission management rights on one dashboard can read and modify permissions on other dashboards. This is an organization‑internal privilege escalation.
Source : NVD
## 8.1
Score
Published January 27, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
Grafana
Rocky Linux
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
grafana-prometheus
grafana-fips-11.6
Sources
NVD
AlmaLinux 9 Severity
Wiz
CVE-2026-27879 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2026-27879 [MEDIUM] CVE-2026-27879 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27879 :
Grafana vulnerability analysis and mitigation
A resample query can be used to trigger out-of-memory crashes in Grafana.
Source : NVD
## 6.5
Score
Published March 27, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
Grafana
Linux Red Hat
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 3.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
grafana-mysql
grafana-prometheus
Sources
Chainguard Has Fix Added at: Mar 29, 2026
Homebrew Severity MEDIUM Has Fix Added at: Apr 05, 2026
Nix Severity MEDIUM Has Fix Added at: Apr 05, 2026
Red Hat 8, 9, 10 Severity MEDIUM No Fix Added at: Mar 29, 2026
Linux Severity MEDIUM Has Fix Added at: Mar 2
Wiz
CVE-2026-27880 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-27880 [HIGH] CVE-2026-27880 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27880 :
Grafana vulnerability analysis and mitigation
The OpenFeature feature toggle evaluation endpoint reads unbounded values into memory, which can cause out-of-memory crashes.
Source : NVD
## 7.5
Score
Published March 27, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
Grafana
Linux Red Hat
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 4.5
Exploitation Probability (EPSS) N/A
Affected packages and libraries
grafana-cloudwatch
grafana-loki
Sources
Chainguard Has Fix Added at: Mar 29, 2026
Homebrew Severity HIGH Has Fix Added at: Apr 05, 2026
Nix Severity HIGH Has Fix Added at: Apr 05, 2026
Red Hat 8, 9, 10 Severity HIGH No Fix Added at: Mar 29, 2026
Li
Wiz
CVE-2026-33937 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 2.8
CVE-2026-33937 [LOW] CVE-2026-33937 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33937 :
Grafana vulnerability analysis and mitigation
Handlebars.compile()
value
NumberLiteral
compile()
Handlebars.compile()
string
handlebars/runtime
compile()
Wiz Threat Research note: Wiz has overridden initial access potential to FALSE since the vulnerability is only exploitable under specific conditions.
Source : NVD
## 9.8
Score
Published March 27, 2026
Severity CRITICAL
CNA Score 9.8
Affected Technologies
Grafana
Wolfi
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 62.2
Exploitation Probability (EPSS) 0.4
Affected packages and libraries
thunderbird
handlebars
Sources
NVD
Chainguard Has Fix Added at: Mar 31, 2026
Debian 11, 12, 13 Severity CRITICAL
Wiz
CVE-2026-21720 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-21720 [HIGH] CVE-2026-21720 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-21720 :
Grafana vulnerability analysis and mitigation
Every uncached /avatar/:hash request spawns a goroutine that refreshes the Gravatar image. If the refresh sits in the 10-slot worker queue longer than three seconds, the handler times out and stops listening for the result, so that goroutine blocks forever trying to send on an unbuffered channel. Sustained traffic with random hashes keeps tripping this timeout, so goroutine count grows linearly, eventually exhausting memory and causing Grafana to crash on some systems.
Source : NVD
## 7.5
Score
Published January 27, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
Grafana
MinimOS
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Perc
Wiz
CVE-2026-21724 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.4
CVE-2026-21724 [MEDIUM] CVE-2026-21724 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-21724 :
Grafana vulnerability analysis and mitigation
A vulnerability has been discovered in Grafana OSS where an authorization bypass in the provisioning contact points API allows users with Editor role to modify protected webhook URLs without the required alert.notifications.receivers.protected:write permission.
Source : NVD
## 5.4
Score
Published March 26, 2026
Severity MEDIUM
CNA Score 5.4
Affected Technologies
Grafana
MinimOS
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:grafana:grafana
grafana-11.6
Sources
NVD
Chainguard No Fix Added at: Apr 02, 2026
MinimOS Severity MEDIUM Has
Wiz
CVE-2026-33487 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-33487 [HIGH] CVE-2026-33487 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33487 :
Grafana vulnerability analysis and mitigation
validateSignature
validate.go
SignedInfo
go.mod
_ref
ref
SignedInfo.References
Source : NVD
## 7.5
Score
Published March 26, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
Grafana
Wolfi
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 3.6
Exploitation Probability (EPSS) N/A
Affected packages and libraries
grafana-azure-monitor
grafana-cloudwatch
Sources
NVD
Chainguard Has Fix Added at: Mar 21, 2026
GoLang Severity HIGH Has Fix Added at: Mar 20, 2026
MinimOS Severity HIGH Has Fix Added at: Mar 22, 2026
Red Hat 8, 9, 10 Severity HIGH No Fix Added at: Mar 29, 2026
Wolfi Has Fix Added at: Mar 21, 202
Wiz
CVE-2026-4800 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.2
CVE-2026-4800 [HIGH] CVE-2026-4800 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-4800 :
JavaScript vulnerability analysis and mitigation
Impact:
The fix for CVE-2021-23337 ( https://github.com/advisories/GHSA-35jh-r3h4-6jhm ) added validation for the variable option in _.template but did not apply the same validation to options.imports key names. Both paths flow into the same Function() constructor sink.
When an application passes untrusted input as options.imports key names, an attacker can inject default-parameter expressions that execute arbitrary code at template compilation time.
Additionally, _.template uses assignInWith to merge imports, which enumerates inherited properties via for..in. If Object.prototype has been polluted by any other vector, the polluted keys are copied into the imports object and passed to Function().
Patches:
Users shoul
Wiz
CVE-2026-33938 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 2.8
CVE-2026-33938 [LOW] CVE-2026-33938 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33938 :
Grafana vulnerability analysis and mitigation
@partial-block
@partial-block
{{> @partial-block}}
require('handlebars/runtime')
compile()
handlebars-helpers
Wiz Threat Research note: Wiz has overridden initial access potential to FALSE since the vulnerability is only exploitable under specific conditions.
Source : NVD
## 8.1
Score
Published March 27, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
Grafana
Wolfi
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 24.8
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
kibana-9.1
opensearch-dashboards-2
Sources
NVD
Chainguard Has Fix Added at: Mar 31, 2026
Debian 11, 12, 13 Severity
Wiz
CVE-2025-68156 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2025-68156 [HIGH] CVE-2025-68156 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68156 :
Grafana vulnerability analysis and mitigation
flatten
min
max
mean
median
builtin.MaxDepth
Source : NVD
## 7.5
Score
Published December 16, 2025
Severity HIGH
CNA Score 7.5
Affected Technologies
Grafana
Amazon CloudWatch Agent
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 10.6
Exploitation Probability (EPSS) N/A
Affected packages and libraries
eks-distro-1.33
elastic-agent-fips-9.0
Sources
NVD
AlmaLinux 9 Severity HIGH Has Fix Added at: Dec 25, 2025
CBL-Mariner 3.0 Severity HIGH Has Fix Added at: Dec 28, 2025
Chainguard Has Fix Added at: Dec 18, 2025
Echo Severity HIGH No Fix Added at: Dec 18, 2025
GoLang Severity HIGH Has Fix Added at: Dec 17, 20
Wiz
CVE-2026-28377 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-28377 [HIGH] CVE-2026-28377 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-28377 :
Grafana vulnerability analysis and mitigation
A vulnerability in Grafana Tempo exposes the S3 SSE-C encryption key in plaintext through the /status/config endpoint, potentially allowing unauthorized users to obtain the key used to encrypt trace data stored in S3.
Thanks to william_goodfellow for reporting this vulnerability.
Source : NVD
## 7.5
Score
Published March 26, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
Grafana
Grafana Tempo
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
grafana-elasticsearch
grafana-graphite
Sources
NVD
Nix Severity HIGH Has Fix Added at: Apr 05,
Wiz
CVE-2026-27877 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2026-27877 [MEDIUM] CVE-2026-27877 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27877 :
Grafana vulnerability analysis and mitigation
When using public dashboards and direct data-sources, all direct data-sources' passwords are exposed despite not being used in dashboards.
No passwords of proxied data-sources are exposed. We encourage all direct data-sources to be converted to proxied data-sources as far as possible to improve your deployments' security.
Source : NVD
## 7.5
Score
Published March 27, 2026
Severity HIGH
CNA Score 6.5
Affected Technologies
Grafana
MinimOS
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
grafana-prometheus
grafana-fips-12.4
Sources
Chainguard Has
Wiz
CVE-2026-33916 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 2.8
CVE-2026-33916 [LOW] CVE-2026-33916 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33916 :
Grafana vulnerability analysis and mitigation
resolvePartial()
options.partials
Object.prototype
Object.freeze(Object.prototype)
handlebars/runtime
Source : NVD
## 4.7
Score
Published March 27, 2026
Severity MEDIUM
CNA Score 4.7
Affected Technologies
Grafana
Wolfi
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 12.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
grafana-loki
grafana-postgres
Sources
NVD
Chainguard Has Fix Added at: Mar 29, 2026
Debian 11, 12, 13 Severity MEDIUM No Fix Added at: Mar 29, 2026
Debian 14 Severity MEDIUM Has Fix Added at: Mar 29, 2026
Echo Severity MEDIUM No Fix Added at: Mar 29, 2026
npm Severity ME
Wiz
CVE-2026-27876 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.1
CVE-2026-27876 [CRITICAL] CVE-2026-27876 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27876 :
Grafana vulnerability analysis and mitigation
A chained attack via SQL Expressions and a Grafana Enterprise plugin can lead to a remote arbitrary code execution impact (RCE). This is enabled by a feature in Grafana (OSS), so all users are always recommended to update to avoid future attack vectors going this path.
Only instances with the sqlExpressions feature toggle enabled are vulnerable.
Only instances in the following version ranges are affected:
11.6.0 (inclusive) to 11.6.14 (exclusive): 11.6.14 has the fix. 11.5 and below are not affected.
12.0.0 (inclusive) to 12.1.10 (exclusive): 12.1.10 has the fix. 12.0 did not receive an update, as it is end-of-life.
12.2.0 (inclusive) to 12.2.8 (exclusive): 12.2.8 has the fix.
12.3.0 (inclusive) to 12.3.6 (exclusive)
Wiz
CVE-2026-33941 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 2.8
CVE-2026-33941 [LOW] CVE-2026-33941 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33941 :
Grafana vulnerability analysis and mitigation
bin/handlebars
lib/precompiler.js
"
'
;
Source : NVD
## 8.2
Score
Published March 27, 2026
Severity HIGH
CNA Score 8.2
Affected Technologies
Grafana
Wolfi
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 4.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
handlebars
389-ds:1.4::389-ds-base-legacy-tools
Sources
NVD
Chainguard Has Fix Added at: Mar 31, 2026
Debian 11, 12, 13 Severity HIGH No Fix Added at: Mar 29, 2026
Debian 14 Severity HIGH Has Fix Added at: Mar 29, 2026
Echo Severity HIGH No Fix Added at: Mar 29, 2026
npm Severity HIGH Has Fix Added at: Mar 29, 2026
Red Hat 7, 8, 9, 1
Wiz
CVE-2026-33375 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2026-33375 [MEDIUM] CVE-2026-33375 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33375 :
Grafana vulnerability analysis and mitigation
The Grafana MSSQL data source plugin contains a logic flaw that allows a low-privileged user (Viewer) to bypass API restrictions and trigger a catastrophic Out-Of-Memory (OOM) memory exhaustion, crashing the host container.
Source : NVD
## 6.5
Score
Published March 26, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
Grafana
MinimOS
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 3.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
grafana-fips-11.6
grafana-fips-12.2
Sources
Chainguard No Fix Added at: Apr 02, 2026
Homebrew Severity MEDIUM Has Fix Added at: Apr 05, 2026
MinimOS Severit
Wiz
CVE-2026-33939 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 2.8
CVE-2026-33939 [LOW] CVE-2026-33939 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33939 :
Grafana vulnerability analysis and mitigation
{{*n}}
lookupProperty(decorators, "n")
undefined
TypeError: ... is not a function
try/catch
try/catch
compile()
{{*...}}
compile()
Source : NVD
## 7.5
Score
Published March 27, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
Grafana
Wolfi
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 15.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
firefox-x11
grafana-loki
Sources
NVD
Chainguard Has Fix Added at: Mar 31, 2026
Debian 11, 12, 13 Severity HIGH No Fix Added at: Mar 29, 2026
Debian 14 Severity HIGH Has Fix Added at: Mar 29, 2026
Echo Severity HIGH No Fix Added at: Mar 29, 2
Wiz
CVE-2026-27141 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-27141 [HIGH] CVE-2026-27141 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27141 :
Grafana vulnerability analysis and mitigation
Due to missing nil check, sending 0x0a-0x0f HTTP/2 frames will cause a running server to panic
Source : NVD
## 7.5
Score
Published February 26, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
Grafana
Podman
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 5.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
crossplane-provider-aws-wafv2
seaweedfs-operator-fips
Sources
NVD
CBL-Mariner 3.0 Severity HIGH Has Fix Added at: Mar 14, 2026
Chainguard Has Fix Added at: Mar 03, 2026
GoLang Severity HIGH Has Fix Added at: Mar 13, 2026
Red Hat 8, 9, 10 Severity MEDIUM No Fix Added at: Mar 02, 2026
Wiz
CVE-2026-21722 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-21722 [MEDIUM] CVE-2026-21722 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-21722 :
Grafana vulnerability analysis and mitigation
Public dashboards with annotations enabled did not limit their annotation timerange to the locked timerange of the public dashboard. This means one could read the entire history of annotations visible on the specific dashboard, even those outside the locked timerange.
This did not leak any annotations that would not otherwise be visible on the public dashboard.
Source : NVD
## 5.3
Score
Published February 12, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
Grafana
MinimOS
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
golang-github-lus
Wiz
CVE-2026-21725 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 2.6
CVE-2026-21725 [LOW] CVE-2026-21725 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-21725 :
Grafana vulnerability analysis and mitigation
A time-of-create-to-time-of-use (TOCTOU) vulnerability lets recently deleted-then-recreated data sources be re-deleted without permission to do so.
This requires several very stringent conditions to be met:
The attacker must have admin access to the specific datasource prior to its first deletion.
Upon deletion, all steps within the attack must happen within the next 30 seconds and on the same pod of Grafana.
The attacker must delete the datasource, then someone must recreate it.
The new datasource must not have the attacker as an admin.
The new datasource must have the same UID as the prior datasource. These are randomised by default.
The datasource can now be re-deleted by the attacker.
Once 30 seconds are up, th
Wiz
CVE-2026-33940 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 2.8
CVE-2026-33940 [LOW] CVE-2026-33940 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33940 :
Grafana vulnerability analysis and mitigation
resolvePartial()
invokePartial()
undefined
env.compile()
require('handlebars/runtime')
compile()
invokePartial
{{> (lookup ...)}}
Wiz Threat Research note: Wiz has overridden initial access potential to FALSE since the vulnerability is only exploitable under specific conditions.
Source : NVD
## 8.1
Score
Published March 27, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
Grafana
Wolfi
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 18.1
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
lerna
handlebars
Sources
NVD
Chainguard Has Fix Added at: Mar 31, 2026
Debian 11, 12, 13 Sever
Wiz
CVE-2025-41117 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.8
CVE-2025-41117 [MEDIUM] CVE-2025-41117 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-41117 :
Grafana vulnerability analysis and mitigation
Stack traces in Grafana's Explore Traces view can be rendered as raw HTML, and thus inject malicious JavaScript in the browser. This would require malicious JavaScript to be entered into the stack trace field.
Only datasources with the Jaeger HTTP API appear to be affected; Jaeger gRPC and Tempo do not appear affected whatsoever.
Source : NVD
## 6.1
Score
Published February 12, 2026
Severity MEDIUM
CNA Score 6.8
Affected Technologies
Grafana
MinimOS
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
grafana-azure-monitor
grafana-elasticsearch
Sou
https://cna.openjsf.org/security-advisories.htmlhttps://github.com/advisories/GHSA-35jh-r3h4-6jhmhttps://github.com/lodash/lodash/commit/3469357cff396a26c363f8c1b5a91dde28ba4b1chttps://access.redhat.com/errata/RHSA-2026:10131https://access.redhat.com/errata/RHSA-2026:10175https://access.redhat.com/errata/RHSA-2026:10710https://access.redhat.com/errata/RHSA-2026:10713https://access.redhat.com/errata/RHSA-2026:11454https://access.redhat.com/errata/RHSA-2026:11469https://access.redhat.com/errata/RHSA-2026:11470https://access.redhat.com/errata/RHSA-2026:11471https://access.redhat.com/errata/RHSA-2026:11493https://access.redhat.com/errata/RHSA-2026:11494https://access.redhat.com/errata/RHSA-2026:11495https://access.redhat.com/errata/RHSA-2026:11516https://access.redhat.com/errata/RHSA-2026:12277https://access.redhat.com/errata/RHSA-2026:12279https://access.redhat.com/errata/RHSA-2026:13545https://access.redhat.com/errata/RHSA-2026:13553https://access.redhat.com/errata/RHSA-2026:13571https://access.redhat.com/errata/RHSA-2026:13826https://access.redhat.com/errata/RHSA-2026:14870https://access.redhat.com/errata/RHSA-2026:14871https://access.redhat.com/errata/RHSA-2026:16874https://access.redhat.com/errata/RHSA-2026:17448https://access.redhat.com/errata/RHSA-2026:17468https://access.redhat.com/errata/RHSA-2026:17469https://access.redhat.com/errata/RHSA-2026:17547https://access.redhat.com/errata/RHSA-2026:17549https://access.redhat.com/errata/RHSA-2026:17550https://access.redhat.com/errata/RHSA-2026:17598https://access.redhat.com/errata/RHSA-2026:17789https://access.redhat.com/errata/RHSA-2026:19008https://access.redhat.com/errata/RHSA-2026:19167https://access.redhat.com/errata/RHSA-2026:19409https://access.redhat.com/errata/RHSA-2026:19410https://access.redhat.com/errata/RHSA-2026:19712https://access.redhat.com/errata/RHSA-2026:20041https://access.redhat.com/errata/RHSA-2026:20042https://access.redhat.com/errata/RHSA-2026:20943https://access.redhat.com/errata/RHSA-2026:20946https://access.redhat.com/errata/RHSA-2026:21658https://access.redhat.com/errata/RHSA-2026:22619https://access.redhat.com/errata/RHSA-2026:24331https://access.redhat.com/errata/RHSA-2026:24762https://access.redhat.com/errata/RHSA-2026:24977https://access.redhat.com/errata/RHSA-2026:8483https://access.redhat.com/errata/RHSA-2026:8484https://access.redhat.com/errata/RHSA-2026:8490https://access.redhat.com/errata/RHSA-2026:8491https://access.redhat.com/errata/RHSA-2026:8493https://access.redhat.com/errata/RHSA-2026:8498https://access.redhat.com/errata/RHSA-2026:9385https://access.redhat.com/errata/RHSA-2026:9742https://access.redhat.com/security/cve/CVE-2026-4800https://bugzilla.redhat.com/show_bug.cgi?id=2453496https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-4800.json
2026-03-31
Published