CVE-2026-4800 — Code Injection in Lodash.template

CWE-94 — Code Injection24 documents8 sources

Severity

9.8CRITICALNVD

CNA7.2GHSA7.2OSV7.2

EPSS

0.1%

top 74.62%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Lodash Lodash Lodash-amd Lodash Lodash-es +2 more

Timeline

PublishedMar 31

Latest updateApr 1

Description

Impact: The fix for CVE-2021-23337 (https://github.com/advisories/GHSA-35jh-r3h4-6jhm) added validation for the variable option in _.template but did not apply the same validation to options.imports key names. Both paths flow into the same Function() constructor sink. When an application passes untrusted input as options.imports key names, an attacker can inject default-parameter expressions that execute arbitrary code at template compilation time. Additionally, _.template uses assignInWith t…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages10 packages

▶CVEListV5lodash/lodash.template4.0.0 — 4.18.0

▶npmlodash/lodash.template4.0.0 — 4.18.0

▶NVDlodash/lodash.template4.5.0

▶CVEListV5lodash/lodash4.0.0 — 4.18.0

▶NVDlodash/lodash< 4.17.21

Patches

Patch: github.com ↗

🔴Vulnerability Details

GHSA

lodash vulnerable to Code Injection via `_.template` imports key names↗2026-04-01

▶

OSV

lodash vulnerable to Code Injection via `_.template` imports key names↗2026-04-01

▶

CVEList

lodash vulnerable to Code Injection via `_.template` imports key names↗2026-03-31

▶

OSV

CVE-2026-4800: Impact: The fix for CVE-2021-23337 (https://github↗2026-03-31

▶

📋Vendor Advisories

Red Hat

lodash: lodash: Arbitrary code execution via untrusted input in template imports↗2026-03-31

▶

Debian

CVE-2026-4800: node-lodash - Impact: The fix for CVE-2021-23337 (https://github.com/advisories/GHSA-35jh-r3h...↗2026

▶

🕵️Threat Intelligence

Wiz

CVE-2026-4800 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

💬Community

Bugzilla

CVE-2026-4800 prometheus: lodash: Arbitrary code execution via untrusted input in template imports [fedora-all]↗2026-04-01

▶

Bugzilla

CVE-2026-4800 cachelib: lodash: Arbitrary code execution via untrusted input in template imports [fedora-all]↗2026-04-01

▶

Bugzilla

CVE-2026-4800 cachelib: lodash: Arbitrary code execution via untrusted input in template imports [epel-all]↗2026-04-01

▶

Bugzilla

CVE-2026-4800 pgadmin4: lodash: Arbitrary code execution via untrusted input in template imports [fedora-all]↗2026-04-01

▶

Bugzilla

CVE-2026-4800 pcs: lodash: Arbitrary code execution via untrusted input in template imports [fedora-all]↗2026-04-01

▶