CVE-2026-4800

critical

Description

Impact: The fix for CVE-2021-23337 (https://github.com/advisories/GHSA-35jh-r3h4-6jhm) added validation for the variable option in _.template but did not apply the same validation to options.imports key names. Both paths flow into the same Function() constructor sink. When an application passes untrusted input as options.imports key names, an attacker can inject default-parameter expressions that execute arbitrary code at template compilation time. Additionally, _.template uses assignInWith to merge imports, which enumerates inherited properties via for..in. If Object.prototype has been polluted by any other vector, the polluted keys are copied into the imports object and passed to Function(). Patches: Users should upgrade to version 4.18.0. Workarounds: Do not pass untrusted input as key names in options.imports. Only use developer-controlled, static key names.

References

https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-4800.json

https://github.com/lodash/lodash/commit/3469357cff396a26c363f8c1b5a91dde28ba4b1c

https://github.com/advisories/GHSA-35jh-r3h4-6jhm

https://cna.openjsf.org/security-advisories.html

https://bugzilla.redhat.com/show_bug.cgi?id=2453496

https://access.redhat.com/security/cve/CVE-2026-4800

https://access.redhat.com/errata/RHSA-2026:9742

https://access.redhat.com/errata/RHSA-2026:9385

https://access.redhat.com/errata/RHSA-2026:8498

https://access.redhat.com/errata/RHSA-2026:8493

https://access.redhat.com/errata/RHSA-2026:8491

https://access.redhat.com/errata/RHSA-2026:8490

https://access.redhat.com/errata/RHSA-2026:8484

https://access.redhat.com/errata/RHSA-2026:8483

https://access.redhat.com/errata/RHSA-2026:37186

https://access.redhat.com/errata/RHSA-2026:36651

https://access.redhat.com/errata/RHSA-2026:34608

https://access.redhat.com/errata/RHSA-2026:34342

https://access.redhat.com/errata/RHSA-2026:34100

https://access.redhat.com/errata/RHSA-2026:29795

https://access.redhat.com/errata/RHSA-2026:24977

https://access.redhat.com/errata/RHSA-2026:24762

https://access.redhat.com/errata/RHSA-2026:24331

https://access.redhat.com/errata/RHSA-2026:22619

https://access.redhat.com/errata/RHSA-2026:21658

https://access.redhat.com/errata/RHSA-2026:20946

https://access.redhat.com/errata/RHSA-2026:20943

https://access.redhat.com/errata/RHSA-2026:20042

https://access.redhat.com/errata/RHSA-2026:20041

https://access.redhat.com/errata/RHSA-2026:19712

https://access.redhat.com/errata/RHSA-2026:19410

https://access.redhat.com/errata/RHSA-2026:19409

https://access.redhat.com/errata/RHSA-2026:19167

https://access.redhat.com/errata/RHSA-2026:19008

https://access.redhat.com/errata/RHSA-2026:17789

https://access.redhat.com/errata/RHSA-2026:17598

https://access.redhat.com/errata/RHSA-2026:17550

https://access.redhat.com/errata/RHSA-2026:17549

https://access.redhat.com/errata/RHSA-2026:17547

https://access.redhat.com/errata/RHSA-2026:17469

https://access.redhat.com/errata/RHSA-2026:17468

https://access.redhat.com/errata/RHSA-2026:17448

https://access.redhat.com/errata/RHSA-2026:16874

https://access.redhat.com/errata/RHSA-2026:14871

https://access.redhat.com/errata/RHSA-2026:14870

https://access.redhat.com/errata/RHSA-2026:13826

https://access.redhat.com/errata/RHSA-2026:13571

https://access.redhat.com/errata/RHSA-2026:13553

https://access.redhat.com/errata/RHSA-2026:13545

https://access.redhat.com/errata/RHSA-2026:12279

https://access.redhat.com/errata/RHSA-2026:12277

https://access.redhat.com/errata/RHSA-2026:11516

https://access.redhat.com/errata/RHSA-2026:11495

https://access.redhat.com/errata/RHSA-2026:11494

https://access.redhat.com/errata/RHSA-2026:11493

https://access.redhat.com/errata/RHSA-2026:11471

https://access.redhat.com/errata/RHSA-2026:11470

https://access.redhat.com/errata/RHSA-2026:11469

https://access.redhat.com/errata/RHSA-2026:11454

https://access.redhat.com/errata/RHSA-2026:10713

https://access.redhat.com/errata/RHSA-2026:10710

https://access.redhat.com/errata/RHSA-2026:10175

https://access.redhat.com/errata/RHSA-2026:10131

Details

Source: Mitre, NVD

Published: 2026-03-31

Updated: 2026-07-14

Risk Information

CVSS v2

Base Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Severity: Critical

CVSS v3

Base Score: 9.8

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Severity: Critical

EPSS

EPSS: 0.00068