CVE-2026-4800

EPSS 0.04%
Veröffentlicht 31.03.2026 19:25:55
Zuletzt bearbeitet 01.05.2026 18:09:13
Quelle ce714d77-add3-4f53-aff5-83d477
CVE-Watchlists
Login
Unerledigt
Login

lodash vulnerable to Code Injection via `_.template` imports key names

Impact:

The fix for CVE-2021-23337 (https://github.com/advisories/GHSA-35jh-r3h4-6jhm) added validation for the variable option in _.template but did not apply the same validation to options.imports key names. Both paths flow into the same Function() constructor sink.

When an application passes untrusted input as options.imports key names, an attacker can inject default-parameter expressions that execute arbitrary code at template compilation time.

Additionally, _.template uses assignInWith to merge imports, which enumerates inherited properties via for..in. If Object.prototype has been polluted by any other vector, the polluted keys are copied into the imports object and passed to Function().

Patches:

Users should upgrade to version 4.18.0.

Workarounds:

Do not pass untrusted input as key names in options.imports. Only use developer-controlled, static key names.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 6

NVD 4 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Lodash ≫ Lodash SwPlatformnode.js Version >= 4.0.0 < 4.18.0

Lodash ≫ Lodash-amd SwPlatformnode.js Version >= 4.0.0 < 4.18.0

Lodash ≫ Lodash-es SwPlatformnode.js Version >= 4.0.0 < 4.18.0

Lodash ≫ Lodash.Template SwPlatformnode.js Version >= 4.0.0 < 4.18.0

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.04%	0.137

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
ce714d77-add3-4f53-aff5-83d477b104bb	8.1	2.2	5.9	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-94 Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

https://cna.openjsf.org/security-advisories.html

Third Party Advisory

https://github.com/advisories/GHSA-35jh-r3h4-6jhm

Not Applicable

https://github.com/lodash/lodash/commit/3469357cff396a26c363f8c1b5a91dde28ba4b1c

Not Applicable

https://nvd.nist.gov/vuln/detail/CVE-2026-4800

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-4800

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-4800

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-4800