9.8

CVE-2026-4800

lodash vulnerable to Code Injection via `_.template` imports key names

Impact:

The fix for CVE-2021-23337 (https://github.com/advisories/GHSA-35jh-r3h4-6jhm) added validation for the variable option in _.template but did not apply the same validation to options.imports key names. Both paths flow into the same Function() constructor sink.

When an application passes untrusted input as options.imports key names, an attacker can inject default-parameter expressions that execute arbitrary code at template compilation time.

Additionally, _.template uses assignInWith to merge imports, which enumerates inherited properties via for..in. If Object.prototype has been polluted by any other vector, the polluted keys are copied into the imports object and passed to Function().

Patches:

Users should upgrade to version 4.18.0.

Workarounds:

Do not pass untrusted input as key names in options.imports. Only use developer-controlled, static key names.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
LodashLodash SwPlatformnode.js Version >= 4.0.0 < 4.18.0
LodashLodash-amd SwPlatformnode.js Version >= 4.0.0 < 4.18.0
LodashLodash-es SwPlatformnode.js Version >= 4.0.0 < 4.18.0
LodashLodash.Template SwPlatformnode.js Version >= 4.0.0 < 4.18.0
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 1.74% 0.748
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 9.8 3.9 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
ce714d77-add3-4f53-aff5-83d477b104bb 8.1 2.2 5.9
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
0b0ca135-0b70-47e7-9f44-1890c2a1c46c 8.1 2.2 5.9
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE-94 Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

https://cna.openjsf.org/security-advisories.html
Third Party Advisory
https://github.com/lodash/lodash/commit/3469357cff396a26c363f8c1b5a91dde28ba4b1c
Not Applicable
https://bugzilla.redhat.com/show_bug.cgi?id=2453496
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-4800.json
https://access.redhat.com/errata/RHSA-2026:12279
https://access.redhat.com/errata/RHSA-2026:13571
https://access.redhat.com/errata/RHSA-2026:17468
https://access.redhat.com/errata/RHSA-2026:17598
https://access.redhat.com/errata/RHSA-2026:19712
https://access.redhat.com/errata/RHSA-2026:20041
https://access.redhat.com/errata/RHSA-2026:24977
https://access.redhat.com/errata/RHSA-2026:8483
https://access.redhat.com/errata/RHSA-2026:10175
https://access.redhat.com/errata/RHSA-2026:13545
https://access.redhat.com/errata/RHSA-2026:16874
https://access.redhat.com/errata/RHSA-2026:8484
https://access.redhat.com/errata/RHSA-2026:8490
https://access.redhat.com/errata/RHSA-2026:8491
https://access.redhat.com/errata/RHSA-2026:8493
https://access.redhat.com/errata/RHSA-2026:9385
https://access.redhat.com/errata/RHSA-2026:9742
https://access.redhat.com/errata/RHSA-2026:13826
https://access.redhat.com/errata/RHSA-2026:24762
https://access.redhat.com/errata/RHSA-2026:34608
https://access.redhat.com/errata/RHSA-2026:34342
https://access.redhat.com/errata/RHSA-2026:10131
https://access.redhat.com/errata/RHSA-2026:12277
https://access.redhat.com/errata/RHSA-2026:17448
https://access.redhat.com/errata/RHSA-2026:17789
https://access.redhat.com/errata/RHSA-2026:20042
https://access.redhat.com/errata/RHSA-2026:20943
https://access.redhat.com/errata/RHSA-2026:20946
https://access.redhat.com/errata/RHSA-2026:21658
https://access.redhat.com/errata/RHSA-2026:17547
https://access.redhat.com/errata/RHSA-2026:17550
https://access.redhat.com/errata/RHSA-2026:17469
https://access.redhat.com/errata/RHSA-2026:29795
https://access.redhat.com/errata/RHSA-2026:36651
https://access.redhat.com/errata/RHSA-2026:14870
https://access.redhat.com/errata/RHSA-2026:14871
https://access.redhat.com/errata/RHSA-2026:24331
https://access.redhat.com/errata/RHSA-2026:19409
https://access.redhat.com/errata/RHSA-2026:19410
https://github.com/advisories/GHSA-35jh-r3h4-6jhm
Not Applicable
https://access.redhat.com/errata/RHSA-2026:10710
https://access.redhat.com/errata/RHSA-2026:10713
https://access.redhat.com/errata/RHSA-2026:11454
https://access.redhat.com/errata/RHSA-2026:11469
https://access.redhat.com/errata/RHSA-2026:11470
https://access.redhat.com/errata/RHSA-2026:11471
https://access.redhat.com/errata/RHSA-2026:11493
https://access.redhat.com/errata/RHSA-2026:11494
https://access.redhat.com/errata/RHSA-2026:11495
https://access.redhat.com/errata/RHSA-2026:11516
https://access.redhat.com/errata/RHSA-2026:13553
https://access.redhat.com/errata/RHSA-2026:17549
https://access.redhat.com/errata/RHSA-2026:19008
https://access.redhat.com/errata/RHSA-2026:19167
https://access.redhat.com/errata/RHSA-2026:22619
https://access.redhat.com/errata/RHSA-2026:8498
https://access.redhat.com/security/cve/CVE-2026-4800
https://access.redhat.com/errata/RHSA-2026:34100