Bug 2453496 (CVE-2026-4800) - CVE-2026-4800 lodash: lodash: Arbitrary code execution via untrusted input in template imports
Summary: CVE-2026-4800 lodash: lodash: Arbitrary code execution via untrusted input in...
Keywords:
Status: NEW
Alias: CVE-2026-4800
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2453972 2453973 2453974 2453975 2453976 2453977 2453978 2453979 2453980 2453981 2453982 2453983 2453984 2453985 2453986 2453987 2453988 2453989 2453990 2453991 2453992 2453993 2453995 2453999 2454001 2454003 2454004 2454005 2454006 2454007 2454008 2454009 2454010 2454011 2454012 2454013 2454014 2454015 2454016 2454019 2454020 2454021 2454022 2454023 2454024 2454025 2454026 2454027 2454028 2454029 2454031 2454035 2454036 2454037 2454038 2454039 2454040 2454041 2454042 2454043 2454044 2454046 2454048 2454049 2454050 2454051 2454052 2454053 2454054 2454056 2454057 2454058 2453994 2453997 2454017 2454018 2454033 2454034 2454055
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-03-31 20:01 UTC by OSIDB Bzimport
Modified: 2026-04-01 21:20 UTC (History)
183 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2026-03-31 20:01:47 UTC 
Impact:

The fix for CVE-2021-23337 (https://github.com/advisories/GHSA-35jh-r3h4-6jhm) added validation for the variable option in _.template but did not apply the same validation to options.imports key names. Both paths flow into the same Function() constructor sink.

When an application passes untrusted input as options.imports key names, an attacker can inject default-parameter expressions that execute arbitrary code at template compilation time.

Additionally, _.template uses assignInWith to merge imports, which enumerates inherited properties via for..in. If Object.prototype has been polluted by any other vector, the polluted keys are copied into the imports object and passed to Function().

Patches:

Users should upgrade to version 4.18.0.

Workarounds:

Do not pass untrusted input as key names in options.imports. Only use developer-controlled, static key names.
Note You need to log in before you can comment on or make changes to this bug.