DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-4800: CVE-2026-4800: Code Injection and Remote Code Execution in lodash _.template

#security #cve #cybersecurity

CVE-2026-4800: Code Injection and Remote Code Execution in lodash _.template

Vulnerability ID: CVE-2026-4800
CVSS Score: 8.1
Published: 2026-04-01

CVE-2026-4800 is a high-severity code injection vulnerability (CWE-94) in the lodash library's _.template function. Arising from an incomplete patch for CVE-2021-23337, this flaw allows unauthenticated attackers to execute arbitrary JavaScript upon template compilation via malicious object keys.

TL;DR

A bypass in lodash's _.template sanitization logic permits remote code execution via direct input or prototype pollution. Attackers can leverage ES6 default parameter syntax within unsanitized imports keys to execute arbitrary code when the template function is compiled.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-94
  • Attack Vector: Network
  • CVSS v3.1: 8.1
  • EPSS Score: 0.00068
  • Impact: Remote Code Execution
  • Exploit Status: PoC
  • CISA KEV: No

Affected Systems

  • lodash utility library
  • Applications utilizing lodash _.template() functionality
  • Node.js server environments
  • Client-side browser applications bundling lodash
  • lodash: >= 4.0.0, < 4.18.0 (Fixed in: 4.18.0)

Code Analysis

Commit: 3469357

Original incomplete fix for CVE-2021-23337

Exploit Details

  • GitHub (threalwinky): Proof of Concept demonstrating remote code execution via prototype pollution and lodash compilation.

Mitigation Strategies

  • Upgrade lodash to version 4.18.0 or later.
  • Prevent user-controlled inputs from defining key names in the options.imports object.
  • Enforce static, hard-coded key definitions for all template imports.
  • Implement generic prototype pollution defenses by using Object.freeze(Object.prototype).

Remediation Steps:

  1. Identify all projects utilizing the lodash package, including transitive dependencies.
  2. Update the package.json dependency to specifically require lodash >= 4.18.0.
  3. Execute package manager lockfile updates (npm update lodash, yarn upgrade lodash) to enforce the new version constraint.
  4. Audit application source code for any instances where _.template options are constructed using user-supplied JSON or objects.
  5. Deploy the updated application to staging, run the test suite, and promote to production.

References

Read the full report for CVE-2026-4800 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)