Cyber Resilience

CVE-2026-4800

HighRCEUpdated

Published: 31 March 2026

Published
31 March 2026
Modified
30 June 2026
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0103 59.3th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-4800 is a high-severity Code Injection (CWE-94) vulnerability in Lodash Lodash. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 40.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-4800 is a code injection vulnerability in the Lodash JavaScript library's _.template function, affecting versions prior to 4.18.0. The issue stems from incomplete validation introduced in the fix for CVE-2021-23337, which validated the variable option but overlooked key names in the options.imports object. Both paths converge on the Function() constructor sink, enabling attackers to inject default-parameter expressions when untrusted input supplies options.imports key names, resulting in arbitrary code execution during template compilation. Additionally, _.template employs assignInWith to merge imports, which iterates over inherited properties via for..in; if Object.prototype has been polluted through other means, those keys propagate into the imports object and reach the Function() constructor.

Attackers can exploit this vulnerability remotely over the network without privileges or user interaction, though it requires high attack complexity. Exploitation targets applications that pass untrusted input as key names in the options.imports parameter to _.template, allowing injected code to execute at template compilation time for high-impact confidentiality, integrity, and availability violations (CVSS 8.1). Prototype pollution on Object.prototype provides an alternate vector to insert malicious keys into imports.

Advisories recommend upgrading to Lodash version 4.18.0, which addresses the validation gap. As a workaround, developers should avoid passing untrusted input as key names in options.imports and restrict usage to static, developer-controlled keys only. Relevant details appear in the OpenJSF CNA advisory and the linked GitHub commit.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Impact: The fix for CVE-2021-23337 (https://github.com/advisories/GHSA-35jh-r3h4-6jhm) added validation for the variable option in _.template but did not apply the same validation to options.imports key names. Both paths flow into the same Function() constructor sink. When an application passes untrusted input…

more

as options.imports key names, an attacker can inject default-parameter expressions that execute arbitrary code at template compilation time. Additionally, _.template uses assignInWith to merge imports, which enumerates inherited properties via for..in. If Object.prototype has been polluted by any other vector, the polluted keys are copied into the imports object and passed to Function(). Patches: Users should upgrade to version 4.18.0. Workarounds: Do not pass untrusted input as key names in options.imports. Only use developer-controlled, static key names.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
Why these techniques?

Vulnerability enables remote arbitrary code execution via JS template injection in Lodash, directly facilitating T1190 for exploiting public-facing apps and T1059.007 for JavaScript interpreter abuse.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-26260Shared CWE-94
CVE-2026-26954Shared CWE-94
CVE-2026-41507Shared CWE-94
CVE-2025-12735Shared CWE-94
CVE-2026-25887Shared CWE-94
CVE-2026-33881Shared CWE-94
CVE-2026-25141Shared CWE-94
CVE-2025-23061Shared CWE-94
CVE-2026-33943Shared CWE-94
CVE-2026-40911Shared CWE-94

Affected Assets

lodash
lodash
4.0.0 — 4.18.0
lodash
lodash-amd
4.0.0 — 4.18.0
lodash
lodash-es
4.0.0 — 4.18.0
lodash
lodash.template
4.0.0 — 4.18.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely patching of the vulnerable Lodash library to version 4.18.0, directly remediating the incomplete validation in _.template that allows code injection via options.imports key names.

prevent

Enforces validation of untrusted inputs before using them as key names in options.imports, preventing injection of default-parameter expressions into the Function() constructor sink.

detect

Monitors integrity of software and data structures like the imports object to detect prototype pollution that propagates malicious keys into _.template.

References