Code Injection Vulnerability in Lodash Template Function
CVE-2026-4800

8.1HIGH

Key Information:

Vendor: Lodash
Status: Lodash; Lodash-es; Lodash-amd; Lodash.template
Vendor: CVE Published:; 31 March 2026

What is CVE-2026-4800?

The vulnerability in Lodash's template function arises from inadequate validation of options.imports key names, allowing untrusted input to be executed. This occurs during template compilation, potentially leading to arbitrary code execution. The improper merging of imports through assignInWith can exacerbate the risk by copying polluted properties from Object.prototype. To mitigate this risk, users are advised to upgrade to Lodash version 4.18.0 and refrain from using dynamic keys in options.imports.

Affected Version(s)

lodash 4.0.0 < 4.18.0

lodash-amd 4.0.0 < 4.18.0

lodash-es 4.0.0 < 4.18.0

References

https://github.com/advisories/GHSA-35jh-r3h4-6jhm

https://github.com/lodash/lodash/commit/3469357cff396a26c...

https://cna.openjsf.org/security-advisories.html

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 31, 2026
Vulnerability Reserved
Mar 25, 2026

Credit

dolevmiz1

bugbunny-research

M0nd0R

UlisesGascon

falsyvalues

jonchurch

threalwinky

jdalton

CVE-2026-4800 Data

JSON