CVE-2026-4800
Published: 31 March 2026
Summary
CVE-2026-4800 is a high-severity Code Injection (CWE-94) vulnerability in Lodash Lodash. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 11.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely patching of the vulnerable Lodash library to version 4.18.0, directly remediating the incomplete validation in _.template that allows code injection via options.imports key names.
Enforces validation of untrusted inputs before using them as key names in options.imports, preventing injection of default-parameter expressions into the Function() constructor sink.
Monitors integrity of software and data structures like the imports object to detect prototype pollution that propagates malicious keys into _.template.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables remote arbitrary code execution via JS template injection in Lodash, directly facilitating T1190 for exploiting public-facing apps and T1059.007 for JavaScript interpreter abuse.
NVD Description
Impact: The fix for CVE-2021-23337 (https://github.com/advisories/GHSA-35jh-r3h4-6jhm) added validation for the variable option in _.template but did not apply the same validation to options.imports key names. Both paths flow into the same Function() constructor sink. When an application passes untrusted input…
more
as options.imports key names, an attacker can inject default-parameter expressions that execute arbitrary code at template compilation time. Additionally, _.template uses assignInWith to merge imports, which enumerates inherited properties via for..in. If Object.prototype has been polluted by any other vector, the polluted keys are copied into the imports object and passed to Function(). Patches: Users should upgrade to version 4.18.0. Workarounds: Do not pass untrusted input as key names in options.imports. Only use developer-controlled, static key names.
Deeper analysisAI
CVE-2026-4800 is a code injection vulnerability in the Lodash JavaScript library's _.template function, affecting versions prior to 4.18.0. The issue stems from incomplete validation introduced in the fix for CVE-2021-23337, which validated the variable option but overlooked key names in the options.imports object. Both paths converge on the Function() constructor sink, enabling attackers to inject default-parameter expressions when untrusted input supplies options.imports key names, resulting in arbitrary code execution during template compilation. Additionally, _.template employs assignInWith to merge imports, which iterates over inherited properties via for..in; if Object.prototype has been polluted through other means, those keys propagate into the imports object and reach the Function() constructor.
Attackers can exploit this vulnerability remotely over the network without privileges or user interaction, though it requires high attack complexity. Exploitation targets applications that pass untrusted input as key names in the options.imports parameter to _.template, allowing injected code to execute at template compilation time for high-impact confidentiality, integrity, and availability violations (CVSS 8.1). Prototype pollution on Object.prototype provides an alternate vector to insert malicious keys into imports.
Advisories recommend upgrading to Lodash version 4.18.0, which addresses the validation gap. As a workaround, developers should avoid passing untrusted input as key names in options.imports and restrict usage to static, developer-controlled keys only. Relevant details appear in the OpenJSF CNA advisory and the linked GitHub commit.
Details
- CWE(s)