cbcvebase.
CVE-2026-4800
published 2026-03-31

CVE-2026-4800: Impact: The fix for CVE-2021-23337 (https://github.com/advisories/GHSA-35jh-r3h4-6jhm) added validation for the variable option in _.template but did not apply…

PriorityP264critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.74%
74.8th percentile
Impact: The fix for CVE-2021-23337 (https://github.com/advisories/GHSA-35jh-r3h4-6jhm) added validation for the variable option in _.template but did not apply the same validation to options.imports key names. Both paths flow into the same Function() constructor sink. When an application passes untrusted input as options.imports key names, an attacker can inject default-parameter expressions that execute arbitrary code at template compilation time. Additionally, _.template uses assignInWith to merge imports, which enumerates inherited properties via for..in. If Object.prototype has been polluted by any other vector, the polluted keys are copied into the imports object and passed to Function(). Patches: Users should upgrade to version 4.18.0. Workarounds: Do not pass untrusted input as key names in options.imports. Only use developer-controlled, static key names.

Affected

9 ranges
VendorProductVersion rangeFixed in
debiannode-lodash< node-lodash 4.18.1+dfsg-1 (forky)node-lodash 4.18.1+dfsg-1 (forky)
lodashlodash>= 4.0.0 < 4.18.04.18.0
lodashlodash>= 4.0.0 < 4.18.04.18.0
lodashlodash-amd>= 4.0.0 < 4.18.04.18.0
lodashlodash-es>= 4.0.0 < 4.18.04.18.0
lodashlodash-es>= 4.0.0 < 4.18.04.18.0
lodashlodash.template>= 4.0.0 < 4.18.04.18.0
lodashlodash.template>= 4.0.0 < 4.18.04.18.0
ubuntunode-lodash

Detection & IOCsextracted from sources · hover to see the quote

  • Attacker-controlled key names in options.imports passed to _.template() flow into the Function() constructor sink, enabling arbitrary code execution at template compilation time — monitor for dynamic/untrusted strings used as options.imports key names in lodash _.template calls
  • The exploit path requires Object.prototype pollution as a secondary vector — if prototype pollution is detected elsewhere, treat lodash _.template usage as additionally at risk because polluted keys are enumerated via for..in and passed to Function()
  • The vulnerable sink is the Function() constructor invoked during lodash template compilation — audit/instrument Function() constructor calls originating from lodash template internals as a detection point
  • The incomplete fix for CVE-2021-23337 (GHSA-35jh-r3h4-6jhm) only patched the 'variable' option path; the options.imports key-name path remained unpatched — detection should cover both the variable option and imports key names as injection points in _.template
  • ·In Red Hat Enterprise Linux, grafana and grafana-pcp execute the affected lodash JavaScript entirely client-side in the user's browser, restricting the attack surface to the local browser environment only
  • ·cachelib ships the affected JavaScript only as part of its website; the files are not included in binary RPMs, so the attack surface for that package is limited to the web context
  • ·The fix is available in lodash 4.18.0 (NVD/RH advisory) and 4.18.1+dfsg-1 (Debian); Debian forky/sid are resolved while bookworm, bullseye, and trixie remain open

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
ghsa7.2HIGH
osv7.2HIGH
vendor_debian7.2HIGH
vendor_redhat7.2HIGH
vendor_ubuntu5.3MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.