Home / Vulnerability Intelligence / CVE-2026-4800

CVE-2026-4800 - Vulnerability Analysis

HighCVSS: 8.1

Last Updated: March 31, 2026

Lodash - Template Injection

Published: March 31, 2026Updated: March 31, 2026Remote Exploitable

Overview

Lodash < 4.18.0 contains a template injection caused by lack of validation on options.imports key names in _.template, letting attackers inject expressions to execute arbitrary code at template compilation, exploit requires passing untrusted input as key names.

Severity & Score

Severity: High

CVSS Score: 8.1

Impact

Attackers can execute arbitrary code during template compilation, potentially leading to full system compromise.

Mitigation

Upgrade to version 4.18.0.

References

https://github.com/lodash/lodash/commit/3469357cff396a26c363f8c1b5a91dde28ba4b1c
https://cna.openjsf.org/security-advisories.html
https://github.com/advisories/GHSA-35jh-r3h4-6jhm

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-4800
Severity: High
CVSS Score: 8.1
Type: template_injection
Status: new

CWE

CWE-94

CVSS Metrics

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H