CVE-2026-4800

EUVD-2026-17610

31.03.2026, 20:16

Impact:

The fix for CVE-2021-23337 (https://github.com/advisories/GHSA-35jh-r3h4-6jhm) added validation for the variable option in _.template but did not apply the same validation to options.imports key names. Both paths flow into the same Function() constructor sink.

When an application passes untrusted input as options.imports key names, an attacker can inject default-parameter expressions that execute arbitrary code at template compilation time.

Additionally, _.template uses assignInWith to merge imports, which enumerates inherited properties via for..in. If Object.prototype has been polluted by any other vector, the polluted keys are copied into the imports object and passed to Function().

Patches:

Users should upgrade to version 4.18.0.

Workarounds:

Do not pass untrusted input as key names in options.imports. Only use developer-controlled, static key names.

Code Injection

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	8.1 HIGH	NETWORK	HIGH	NONE	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 13%

Affected Products (NVD)

Vendor	Product	Version
lodash	lodash	4.0.0 ≤ 𝑥 < 4.18.0
lodash	lodash-amd	4.0.0 ≤ 𝑥 < 4.18.0
lodash	lodash-es	4.0.0 ≤ 𝑥 < 4.18.0
lodash	lodash.template	4.0.0 ≤ 𝑥 < 4.18.0

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

node-lodash

bookworm	vulnerable
bullseye	vulnerable
forky	4.18.1+dfsg-3 fixed
sid	4.18.1+dfsg-3 fixed
trixie	vulnerable

Red Hat Enterprise Linux Releases

Red Hat Product

Release

pcs

RHEL 8.4 AUS	0:0.10.8-1.el8_4.11 fixed
RHEL 8.6 E4S	0:0.10.12-6.el8_6.13 fixed
RHEL 8.6 TUS	0:0.10.12-6.el8_6.13 fixed
RHEL 8.8 E4S	0:0.10.15-4.el8_8.11 fixed
RHEL 8.8 TUS	0:0.10.15-4.el8_8.11 fixed
RHEL 9	0:0.11.10-1.el9_7.3 fixed

pcs-snmp

RHEL 8.4 AUS	0:0.10.8-1.el8_4.11 fixed
RHEL 8.6 E4S	0:0.10.12-6.el8_6.13 fixed
RHEL 8.6 TUS	0:0.10.12-6.el8_6.13 fixed
RHEL 8.8 E4S	0:0.10.15-4.el8_8.11 fixed
RHEL 8.8 TUS	0:0.10.15-4.el8_8.11 fixed
RHEL 9	0:0.11.10-1.el9_7.3 fixed

Common Weakness Enumeration

CWE-94 - Improper Control of Generation of Code ('Code Injection')
The software constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

Vulnerability Media Exposure

[GERMAN] Red Hat Enterprise Linux und Satellite (satellite/iop-remediations-rhel9 container image): Mehrere Schwachstellen
Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Red Hat Enterprise Linux und Red Hat Satellite ausnutzen, um Informationen offenzulegen oder beliebigen Code auszuführen.
Published: 2026-04-16T22:00:00+00:00

References

https://cna.openjsf.org/security-advisories.html

https://github.com/advisories/GHSA-35jh-r3h4-6jhm

https://github.com/lodash/lodash/commit/3469357cff396a26c363f8c1b5a91dde28ba4b1c