lodash vulnerable to Code Injection via `_.template` imports key names
Summary
| CVE | CVE-2026-4800 |
|---|---|
| State | PUBLISHED |
| Assigner | openjs |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-03-31 20:16:29 UTC |
| Updated | 2026-07-10 12:17:07 UTC |
| Description | Impact: The fix for CVE-2021-23337 (https://github.com/advisories/GHSA-35jh-r3h4-6jhm) added validation for the variable option in _.template but did not apply the same validation to options.imports key names. Both paths flow into the same Function() constructor sink. When an application passes untrusted input as options.imports key names, an attacker can inject default-parameter expressions that execute arbitrary code at template compilation time. Additionally, _.template uses assignInWith to merge imports, which enumerates inherited properties via for..in. If Object.prototype has been polluted by any other vector, the polluted keys are copied into the imports object and passed to Function(). Patches: Users should upgrade to version 4.18.0. Workarounds: Do not pass untrusted input as key names in options.imports. Only use developer-controlled, static key names. |
Risk And Classification
Primary CVSS: v3.1 9.8 CRITICAL from [email protected]
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS: 0.017350000 probability, percentile 0.749950000 (date 2026-07-12)
Problem Types: CWE-94 | CWE-94 CWE-94: Improper Control of Generation of Code ('Code Injection') | CWE-94 Improper Control of Generation of Code ('Code Injection')
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | [email protected] | Primary | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| 3.1 | ADP | CVSS | 8.1 | HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
| 3.1 | ce714d77-add3-4f53-aff5-83d477b104bb | Secondary | 8.1 | HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
| 3.1 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | Secondary | 8.1 | HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
| 3.1 | CNA | CVSS | 8.1 | HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
CVSS v3.1 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Lodash | Lodash | All | All | All | All |
| Application | Lodash | Lodash-amd | All | All | All | All |
| Application | Lodash | Lodash-es | All | All | All | All |
| Application | Lodash | Lodash.template | All | All | All | All |
Vendor Declared Affected Products
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| access.redhat.com/errata/RHSA-2026:12279 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:11493 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:34100 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:8491 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:8493 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:11471 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:17547 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| cna.openjsf.org/security-advisories.html | ce714d77-add3-4f53-aff5-83d477b104bb | cna.openjsf.org | Third Party Advisory |
| access.redhat.com/errata/RHSA-2026:20041 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:9385 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| github.com/lodash/lodash/commit/3469357cff396a26c363f8c1b5a91dde28ba4b1c | ce714d77-add3-4f53-aff5-83d477b104bb | github.com | Not Applicable |
| access.redhat.com/errata/RHSA-2026:19410 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:11469 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:36651 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:17469 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:13553 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:17550 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:14871 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-4800.json | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | security.access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:21658 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:24977 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:24331 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:34342 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:10710 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| bugzilla.redhat.com/show_bug.cgi | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | bugzilla.redhat.com | |
| access.redhat.com/errata/RHSA-2026:8484 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:17448 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:9742 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:11494 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:24762 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:19167 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:29795 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:11516 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:19008 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:16874 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:20943 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:20946 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:34608 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:11454 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| github.com/advisories/GHSA-35jh-r3h4-6jhm | ce714d77-add3-4f53-aff5-83d477b104bb | github.com | Not Applicable |
| access.redhat.com/errata/RHSA-2026:10131 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:10175 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:20042 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:13826 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:11495 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:17598 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:8483 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:11470 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:12277 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:13545 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/security/cve/CVE-2026-4800 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:13571 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:19712 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:17549 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:8490 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:8498 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:19409 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:14870 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:22619 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:10713 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:17789 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:17468 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: dolevmiz1 (en)
CNA: bugbunny-research (en)
CNA: M0nd0R (en)
CNA: UlisesGascon (en)
CNA: falsyvalues (en)
CNA: jonchurch (en)
CNA: threalwinky (en)
CNA: jdalton (en)
Additional Advisory Data
| Source | Time | Event |
|---|---|---|
| ADP | 2026-03-31T20:01:21.918Z | Reported to Red Hat. |
| ADP | 2026-03-31T19:25:55.987Z | Made public. |
Solutions
ADP: RHSA-2026:24762: Red Hat Ansible Automation Platform 2.6 for RHEL 9
ADP: RHSA-2026:17789: Cryostat 4 on RHEL 9
ADP: RHSA-2026:24331: Red Hat Enterprise Linux AppStream (v. 10)
ADP: RHSA-2026:34342: Cluster Observability Operator 1.5.0
ADP: RHSA-2026:11470: Red Hat Enterprise Linux High Availability EUS (v. 10.0)
ADP: RHSA-2026:10713: Red Hat Enterprise Linux High Availability (v. 10)
ADP: RHSA-2026:19008: Red Hat Enterprise Linux High Availability (v. 10)
ADP: RHSA-2026:11493: Red Hat Enterprise Linux High Availability AUS (v.8.4), Red Hat Enterprise Linux HighAvailability EUS EXTENSION (v.8.4)
ADP: RHSA-2026:11494: Red Hat Enterprise Linux High Availability E4S (v.8.6), Red Hat Enterprise Linux High Availability TUS (v.8.6)
ADP: RHSA-2026:11495: Red Hat Enterprise Linux High Availability E4S (v.8.8), Red Hat Enterprise Linux High Availability TUS (v.8.8)
ADP: RHSA-2026:11454: Red Hat Enterprise Linux High Availability E4S (v.9.0), Red Hat Enterprise Linux ResilientStorage E4S (v.9.0)
ADP: RHSA-2026:11469: Red Hat Enterprise Linux High Availability E4S (v.9.2), Red Hat Enterprise Linux Resilient Storage E4S (v.9.2)
ADP: RHSA-2026:11516: Red Hat Enterprise Linux High Availability EUS (v.9.4), Red Hat Enterprise Linux Resilient Storage EUS (v.9.4)
ADP: RHSA-2026:11471: Red Hat Enterprise Linux High Availability EUS (v.9.6), Red Hat Enterprise Linux Resilient Storage EUS (v.9.6)
ADP: RHSA-2026:10710: Red Hat Enterprise Linux High Availability (v. 9), Red Hat Enterprise Linux Resilient Storage (v. 9)
ADP: RHSA-2026:19167: Red Hat Enterprise Linux High Availability (v. 9), Red Hat Enterprise Linux Resilient Storage (v. 9)
ADP: RHSA-2026:19409: Migration Toolkit for Virtualization 2.1
ADP: RHSA-2026:19410: Migration Toolkit for Virtualization 2.9
ADP: RHSA-2026:16874: Network Observability (NETOBSERV) 1.11.2
ADP: RHSA-2026:13553: Red Hat Ansible Automation Platform 2.5
ADP: RHSA-2026:13545: Red Hat Ansible Automation Platform 2.6
ADP: RHSA-2026:22619: Red Hat Data Grid 8.6.1
ADP: RHSA-2026:9742: Red Hat Developer Hub 1.8
ADP: RHSA-2026:13826: Red Hat Developer Hub 1.9
ADP: RHSA-2026:36651: Red Hat Edge Manager 1.0
ADP: RHSA-2026:24977: Red Hat OpenShift AI 2.25
ADP: RHSA-2026:19712: Red Hat OpenShift AI 3.3
ADP: RHSA-2026:34100: Red Hat OpenShift Container Platform 4.17
ADP: RHSA-2026:17598: Red Hat OpenShift Container Platform 4.17
ADP: RHSA-2026:21658: Red Hat OpenShift Container Platform 4.18
ADP: RHSA-2026:17448: Red Hat OpenShift Container Platform 4.18
ADP: RHSA-2026:20042: Red Hat OpenShift Container Platform 4.19
ADP: RHSA-2026:20041: Red Hat OpenShift Container Platform 4.19
ADP: RHSA-2026:17469: Red Hat OpenShift Container Platform 4.20
ADP: RHSA-2026:17468: Red Hat OpenShift Container Platform 4.20
ADP: RHSA-2026:29795: Red Hat OpenShift Container Platform 4.22
ADP: RHSA-2026:10175: Red Hat OpenShift Dev Spaces 3.27
ADP: RHSA-2026:20946: Red Hat OpenShift GitOps 1.18
ADP: RHSA-2026:20943: Red Hat OpenShift GitOps 1.19
ADP: RHSA-2026:8483: Red Hat OpenShift Service Mesh 2.6
ADP: RHSA-2026:8490: Red Hat OpenShift Service Mesh 3.1
ADP: RHSA-2026:8491: Red Hat OpenShift Service Mesh 3.2
ADP: RHSA-2026:8493: Red Hat OpenShift Service Mesh 3.3
ADP: RHSA-2026:8484: Red Hat OpenShift Service Mesh 3
ADP: RHSA-2026:9385: Red Hat OpenShift distributed tracing 3.9.3
ADP: RHSA-2026:17549: Red Hat Openshift Data Foundation 4.16
ADP: RHSA-2026:17550: Red Hat Openshift Data Foundation 4.17
ADP: RHSA-2026:17547: Red Hat Openshift Data Foundation 4.18
ADP: RHSA-2026:12279: Red Hat Openshift Data Foundation 4.19
ADP: RHSA-2026:12277: Red Hat Openshift Data Foundation 4.2
ADP: RHSA-2026:14870: Red Hat Satellite 6.18
ADP: RHSA-2026:14871: Red Hat Satellite 6.18
ADP: RHSA-2026:8498: Red Hat Satellite 6.18
ADP: RHSA-2026:10131: Red Hat Trusted Artifact Signer 1.3
ADP: RHSA-2026:34608: Streams for Apache Kafka 2.9.4
ADP: RHSA-2026:13571: Streams for Apache Kafka 3.2.0
Workarounds
ADP: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.