CVE-2026-4800

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-4800
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-4800.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2026-4800
Aliases
Downstream
Related
Published
2026-03-31T19:25:55.987Z
Modified
2026-05-18T11:54:16.818496398Z
Severity
  • 8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
lodash vulnerable to Code Injection via `_.template` imports key names
Details

Impact:

The fix for CVE-2021-23337 (https://github.com/advisories/GHSA-35jh-r3h4-6jhm) added validation for the variable option in _.template but did not apply the same validation to options.imports key names. Both paths flow into the same Function() constructor sink.

When an application passes untrusted input as options.imports key names, an attacker can inject default-parameter expressions that execute arbitrary code at template compilation time.

Additionally, _.template uses assignInWith to merge imports, which enumerates inherited properties via for..in. If Object.prototype has been polluted by any other vector, the polluted keys are copied into the imports object and passed to Function().

Patches:

Users should upgrade to version 4.18.0.

Workarounds:

Do not pass untrusted input as key names in options.imports. Only use developer-controlled, static key names.

Database specific 
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/4xxx/CVE-2026-4800.json",
    "cna_assigner": "openjs",
    "cwe_ids": [
        "CWE-94"
    ]
}
References

Affected packages

Git / github.com/lodash/lodash

Affected ranges

Type
GIT
Repo
https://github.com/lodash/lodash
Events
Introduced
d35a9c40beb594d09814ba7f7673b81d4d67a816
Fixed
db27b6bb14b12a1451b20edf87dfe307b87a337d

Affected versions

4.*
4.0.0-npm-packages
4.0.1-npm-packages
4.0.2-npm-packages
4.0.3-npm-packages
4.0.4-npm-packages
4.0.5-npm-packages
4.0.6-npm-packages
4.0.7-npm-packages
4.0.8-npm-packages
4.0.9-npm-packages
4.1.0-npm-packages
4.1.1-npm-packages
4.1.2-npm-packages
4.1.3-npm-packages
4.1.4-npm-packages
4.1.5-npm-packages
4.10.0-npm-packages
4.10.1-npm-packages
4.10.2-npm-packages
4.11.0-npm-packages
4.11.1-npm-packages
4.11.2-npm-packages
4.12.0-npm-packages
4.12.1-npm-packages
4.13.0-npm-packages
4.14.0-npm-packages
4.15.0-npm-packages
4.2.0-npm-packages
4.2.1-npm-packages
4.2.2-npm-packages
4.2.3-npm-packages
4.2.4-npm-packages
4.2.5-npm-packages
4.3.0-npm-packages
4.3.1-npm-packages
4.3.2-npm-packages
4.3.3-npm-packages
4.3.4-npm-packages
4.3.5-npm-packages
4.4.0-npm-packages
4.4.1-npm-packages
4.4.2-npm-packages
4.4.3-npm-packages
4.5.0-npm-packages
4.5.1-npm-packages
4.5.2-npm-packages
4.5.3-npm-packages
4.5.4-npm-packages
4.5.5-npm-packages
4.5.6-npm-packages
4.5.7-npm-packages
4.6.0-npm-packages
4.6.1-npm-packages
4.6.2-npm-packages
4.7.0-npm-packages
4.7.1-npm-packages
4.8.0-npm-packages
4.8.1-npm-packages
4.9.0-npm-packages
4.9.1-npm-packages

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-4800.json"