CVEFinder.io

CVE-2026-4800

⚠️ high
πŸ” Scan for this CVE
Summary

Impact: The fix for CVE-2021-23337 (https://github.com/advisories/GHSA-35jh-r3h4-6jhm) added validation for the variable option in _.template but did not apply the same validation to options.imports key names. Both paths flow into the same Function() constructor sink. When an application passes untrusted input as options.imports key names, an attacker can inject default-parameter expressions that execute arbitrary code at template compilation time. Additionally, _.template uses assignInWith t

Description

Impact:

The fix for CVE-2021-23337 (https://github.com/advisories/GHSA-35jh-r3h4-6jhm) added validation for the variable option in _.template but did not apply the same validation to options.imports key names. Both paths flow into the same Function() constructor sink.

When an application passes untrusted input as options.imports key names, an attacker can inject default-parameter expressions that execute arbitrary code at template compilation time.

Additionally, _.template uses assignInWith to merge imports, which enumerates inherited properties via for..in. If Object.prototype has been polluted by any other vector, the polluted keys are copied into the imports object and passed to Function().

Patches:

Users should upgrade to version 4.18.0.

Workarounds:

Do not pass untrusted input as key names in options.imports. Only use developer-controlled, static key names.

CVSS Score
8.1
High
EPSS Score
0.1
Exploit Probability
Published Date
2026-03-31
First Seen: 2026-04-01
πŸ“Š Relative Risk Intelligence

This CVE is High Risk - more severe than 77.6% of all 318,071 vulnerabilities in our database.

#71,134
Top 25% most severe
Severity Percentile
🎯 CISA SSVC Assessment Updated: Mar 31, 2026
πŸ” Exploitation Status
None
No known exploits
βš™οΈ Automatable
NO
Requires human interaction
πŸ’₯ Technical Impact
Total
Complete system compromise possible
πŸ† Discovered By
dolevmiz1 (reporter) bugbunny-research (reporter) M0nd0R (reporter) UlisesGascon (remediation developer) falsyvalues (remediation reviewer) jonchurch (remediation reviewer) threalwinky (reporter) jdalton (remediation reviewer)
SSVC data provided by CISA
Last Modified 2026-04-07
Source NVD πŸ”—
CVSS Vector 3.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE IDs (Weakness Types)
CWE-94

πŸ“¦ Affected Products 1

Vendor Product Status Affected Versions
lodash lodash Affected
< 4.17.21

πŸ”— References 3

https://cna.openjsf.org/security-advisories.html
Third Party Advisory
https://github.com/advisories/GHSA-35jh-r3h4-6jhm
Third Party Advisory
https://github.com/lodash/lodash/commit/3469357cff39...
Patch

πŸ”— Related CVEs 6

CVE ID Severity CVSS EPSS Summary Published
CVE-2026-2950 πŸ”Ά medium 6.5 0.1 Impact: Lodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the _.unset and _.omit functions. ... 2026-03-31
CVE-2025-13465 πŸ”Ά medium 5.3 0.0 Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unsetΒ and _.omitΒ functions. An at... 2026-01-21
CVE-2020-28500 πŸ”Ά medium 5.3 0.3 Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim a... 2021-02-15
CVE-2021-23337 ⚠️ high 7.2 0.7 Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function. 2021-02-15
CVE-2020-8203 ⚠️ high 7.4 2.6 Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20. 2020-07-15
CVE-2019-10744 β›” critical 9.1 2.4 Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked ... 2019-07-26
These CVEs affect the same products