CVE-2026-4800
Code Injection via Untrusted Imports Keys in Lodash _.template
Publication date: 2026-03-31
Last updated on: 2026-05-01
Assigner: openjs
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| lodash | lodash | From 4.0.0 (inc) to 4.18.0 (exc) |
| lodash | lodash-amd | From 4.0.0 (inc) to 4.18.0 (exc) |
| lodash | lodash-es | From 4.0.0 (inc) to 4.18.0 (exc) |
| lodash | lodash.template | From 4.0.0 (inc) to 4.18.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-4800 is a command injection vulnerability in the Lodash library's _.template function. The issue arises because the variable option, which defines the name of the data object passed into the compiled template function, was not properly validated. This allowed attackers to inject malicious code by passing specially crafted variable names containing forbidden characters such as parentheses, equal signs, brackets, slashes, or whitespace.
The vulnerability allows arbitrary code execution at template compilation time if untrusted input is passed as the variable option. The fix introduced validation that forbids these dangerous characters in the variable option, preventing command injection attacks.
How can this vulnerability impact me? :
This vulnerability can lead to remote code execution if an attacker is able to supply malicious input to the _.template function's variable option. Exploiting this flaw could allow an attacker to execute arbitrary commands on the system running the vulnerable Lodash version.
Such an attack can compromise the confidentiality, integrity, and availability of the affected system, potentially leading to data breaches, system takeover, or denial of service.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves identifying usage of the Lodash _.template function with untrusted input passed as the variable option or options.imports key names.
Specifically, you can look for instances where the variable option contains forbidden characters such as parentheses (), equal signs =, square brackets [], curly braces {}, forward slashes /, or whitespace characters, which are indicators of potential command injection attempts.
Since the vulnerability is in the Lodash library, detection can include scanning your codebase for usage of _.template with dynamic or untrusted inputs for the variable option or imports keys.
There are no explicit commands provided in the resources to detect exploitation on a network or system.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade Lodash to version 4.18.0 or later, where validation of the variable option in _.template has been added to prevent command injection.
As a workaround, do not pass untrusted input as key names in options.imports or as the variable option in _.template. Only use developer-controlled, static key names.
The patch forbids certain characters in the variable option to prevent injection, so ensuring inputs conform to these restrictions is also important.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided context and resources do not contain information regarding the impact of CVE-2026-4800 on compliance with common standards and regulations such as GDPR or HIPAA.