Impact: The fix for CVE-2021-23337 (https://github.com/advisories/GHSA-35jh-r3h4-6jhm) added validation for the variable option in _.template but did not apply the same validation to options.imports key names. Both paths flow into the same Function() constructor sink. When an application passes untrusted input as options.imports key names, an attacker can inject default-parameter expressions that execute arbitrary code at template compilation time. Additionally, _.template uses assignInWith to merge imports, which enumerates inherited properties via for..in. If Object.prototype has been polluted by any other vector, the polluted keys are copied into the imports object and passed to Function(). Patches: Users should upgrade to version 4.18.0. Workarounds: Do not pass untrusted input as key names in options.imports. Only use developer-controlled, static key names.
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2026:10710 https://access.redhat.com/errata/RHSA-2026:10710
This issue has been addressed in the following products: Red Hat Enterprise Linux 10 Via RHSA-2026:10713 https://access.redhat.com/errata/RHSA-2026:10713
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions Via RHSA-2026:11454 https://access.redhat.com/errata/RHSA-2026:11454
This issue has been addressed in the following products: Red Hat Enterprise Linux 10.0 Extended Update Support Via RHSA-2026:11470 https://access.redhat.com/errata/RHSA-2026:11470
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.6 Extended Update Support Via RHSA-2026:11471 https://access.redhat.com/errata/RHSA-2026:11471
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions Red Hat Enterprise Linux 8.6 Telecommunications Update Service Via RHSA-2026:11494 https://access.redhat.com/errata/RHSA-2026:11494
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions Red Hat Enterprise Linux 8.8 Telecommunications Update Service Via RHSA-2026:11495 https://access.redhat.com/errata/RHSA-2026:11495
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions Via RHSA-2026:11469 https://access.redhat.com/errata/RHSA-2026:11469
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On Via RHSA-2026:11493 https://access.redhat.com/errata/RHSA-2026:11493
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.4 Extended Update Support Via RHSA-2026:11516 https://access.redhat.com/errata/RHSA-2026:11516
This issue has been addressed in the following products: Streams for Apache Kafka 3.2.0 Via RHSA-2026:13571 https://access.redhat.com/errata/RHSA-2026:13571
This issue has been addressed in the following products: Red Hat Enterprise Linux 10 Via RHSA-2026:19008 https://access.redhat.com/errata/RHSA-2026:19008
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2026:19167 https://access.redhat.com/errata/RHSA-2026:19167
This issue has been addressed in the following products: Cryostat 4 on RHEL 9 Via RHSA-2026:17789 https://access.redhat.com/errata/RHSA-2026:17789
This issue has been addressed in the following products: Red Hat Data Grid 8.6.1 Via RHSA-2026:22619 https://access.redhat.com/errata/RHSA-2026:22619