lodash vulnerable to Code Injection via `_.template` imports key names
RSS Feed
HIGH
GHSA-r5fr-rjxr-66jc
CVE-2026-4800
Description:
Impact
The fix for CVE-2021-23337 added validation for the variable option in _.template but did not apply the same validation to options.imports key names. Both paths flow into the same Function() constructor sink.
When an application passes untrusted input as options.imports key names, an attacker can inject default-parameter expressions that execute arbitrary code at template compilation time.
Additionally, _.template uses assignInWith to merge imports, which enumerates inherited properties via for..in. If Object.prototype has been polluted by any other vector, the polluted keys are copied into the imports object and passed to Function().
Patches
Users should upgrade to version 4.18.0.
The fix applies two changes:
- Validate
importsKeysagainst the existingreForbiddenIdentifierCharsregex (same check already used for thevariableoption) - Replace
assignInWithwithassignWithwhen merging imports, so only own properties are enumerated
Workarounds
Do not pass untrusted input as key names in options.imports. Only use developer-controlled, static key names.
Affected Packages
| Ecosystem | Package | Vulnerable Versions | Patched Version |
|---|---|---|---|
| npm |
lodash.template
|
>= 4.0.0, < 4.18.0 |
4.18.0
|
| npm |
lodash-amd
|
>= 4.0.0, <= 4.17.23 |
4.18.0
|
| npm |
lodash-es
|
>= 4.0.0, <= 4.17.23 |
4.18.0
|
| npm |
lodash
|
>= 4.0.0, <= 4.17.23 |
4.18.0
|
Bump lodash from 4.17.21 to 4.18.1
Closed about 8 hours ago
Tina2010/myFlix-Client #9
npm:lodash
build(deps): bump the npm_and_yarn group across 1 directory with 10 updates
Open about 9 hours ago
gitroomhq/postiz-app #1536
npm:axios
npm:vite
+7 more
build(deps): bump the npm_and_yarn group across 1 directory with 7 updates
Closed about 13 hours ago
Milky-Way-Cookie/autograd-engine #12
npm:vite
npm:rollup
+5 more
chore(deps): bump lodash from 4.17.23 to 4.18.1
Open about 16 hours ago
bronsonacoutts/MyTemplates #29
npm:lodash
Bump the production-dependencies group with 4 updates
Closed about 16 hours ago
Sammons/certbot-cloudflare-wrapper #35
npm:express
npm:lodash
+2 more
chore(deps-dev): bump lodash from 4.17.23 to 4.18.1 in /html/themes/custom/common_design_subtheme
Closed about 16 hours ago
UN-OCHA/common-design-site #633
npm:lodash
Bump lodash from 4.17.21 to 4.18.1
Open about 17 hours ago
Mordi490/lineup-larry #39
npm:lodash
chore(deps): bump the npm_and_yarn group across 2 directories with 2 updates
Open about 18 hours ago
drewjocham/arguskube #112
npm:vite
npm:lodash
Bump the npm_and_yarn group across 2 directories with 7 updates
Open about 18 hours ago
nilhemdot/openwolf #1
npm:vite
npm:lodash
+3 more
chore(deps): bump the npm_and_yarn group across 4 directories with 10 updates
Open about 21 hours ago
CHENY260/onyx #1
npm:vite
npm:next
+4 more
Bump the npm_and_yarn group across 1 directory with 9 updates
Open about 22 hours ago
Googleclaude/react-router-starter-template-1 #1
npm:react-router
npm:vite
+7 more
Bump lodash from 4.17.21 to 4.18.1
Open 1 day ago
DougMackenzie/power-insight #6
npm:lodash
Bump the npm_and_yarn group across 7 directories with 10 updates
Open 1 day ago
balajirajput96/onnxruntime #42
npm:follow-redirects
npm:lodash
+3 more
Bump the npm_and_yarn group across 1 directory with 5 updates
Open 1 day ago
advayc/sitemaker #11
npm:next
npm:postcss
+3 more
Bump lodash from 4.17.20 to 4.18.1 in /javascript
Open 1 day ago
fullerrc/dependabot-demo #6
npm:lodash
Bump lodash from 4.17.21 to 4.18.1
Open 2 days ago
gtibrett/effone-hub #26
npm:lodash
Bump lodash from 4.17.21 to 4.18.1
Closed 2 days ago
deflis/ranking.riel.live #66
npm:lodash
Bump lodash-es from 4.17.21 to 4.18.1 in /js
Open 2 days ago
imantubex-create/keycloak__keycloak__prixai__PR38446__20260516 #51
npm:lodash-es
Bump lodash-es from 4.17.21 to 4.18.1 in /js
Open 2 days ago
imantubex-create/keycloak__keycloak__prixai__PR36880__20260516 #60
npm:lodash-es
Bump lodash-es from 4.17.21 to 4.18.1 in /js
Open 2 days ago
imantubex-create/keycloak__keycloak__prixai__PR37038__20260516 #47
npm:lodash-es
Bump the npm_and_yarn group across 2 directories with 17 updates
Closed 2 days ago
ZAK123DSFDF/refearnapp #27
npm:axios
npm:next
+3 more
Bump lodash from 4.17.21 to 4.18.1
Closed 2 days ago
michal-cecko/sw-kysuce-web #3
npm:lodash
chore(deps): bump the npm_and_yarn group across 1 directory with 7 updates
Closed 2 days ago
marceljk/pv_tracker #32
npm:vite
npm:serialize-javascript
+5 more
chore(deps): bump the npm_and_yarn group across 12 directories with 10 updates
Open 2 days ago
balajirajput96/openai-node #44
npm:axios
npm:lodash
+4 more
Bump lodash from 4.17.21 to 4.18.1 in /samples/tab-stage-view/nodejs
Closed 2 days ago
shaneslo/Microsoft-Teams-Samples #4
npm:lodash
Bump lodash from 4.17.15 to 4.18.1
Open 2 days ago
bhargava16623/dependabot-alternatives-test #10
npm:lodash
Bump the npm_and_yarn group across 1 directory with 7 updates
Open 2 days ago
OsoPanda1/utamv-elite-masterclass #6
npm:vite
npm:rollup
+5 more
Bump the npm_and_yarn group across 1 directory with 13 updates
Open 2 days ago
jamesbroadmore/carterscare-v2.1 #1
npm:react-router
npm:vite
+10 more
Bump lodash from 4.17.21 to 4.18.1
Open 3 days ago
shogo82148/rfc-translated-ja #127
npm:lodash
Bump the npm_and_yarn group across 16 directories with 21 updates
Open 3 days ago
AKJUS/todomvc #27
npm:postcss
npm:follow-redirects
+12 more
Bump lodash from 4.17.4 to 4.18.1
Closed 3 days ago
1995parham/react-canvas-gauges #7
npm:lodash
ci: bump the npm_and_yarn group across 2 directories with 5 updates
Open 3 days ago
jadenblack/coder #17
npm:yaml
npm:minimatch
+3 more
chore(deps): bump the npm_and_yarn group across 2 directories with 16 updates
Open 3 days ago
servrox-solutions/punktaro-app #6
npm:@babel/helpers
npm:cross-spawn
+12 more
chore(deps): Bump the npm_and_yarn group across 1 directory with 16 updates
Closed 3 days ago
robertcdawson/coronavirus-us-county-tracker #28
npm:axios
npm:yaml
+10 more
Bump the npm_and_yarn group across 1 directory with 17 updates
Closed 3 days ago
shsunmoonlee/CryptoCurrencyData #1
npm:axios
npm:express
+10 more
chore(deps): bump lodash-es from 4.17.21 to 4.18.1 in /docs
Closed 3 days ago
samber/lo #885
npm:lodash-es
chore(deps): bump the npm_and_yarn group across 1 directory with 5 updates
Open 3 days ago
kinde-oss/js-utils #233
npm:postcss
npm:minimatch
+3 more
Bump lodash, grunt-legacy-log and grunt-legacy-util
Open 3 days ago
wp-media/imagify-plugin #1049
npm:grunt-legacy-util
npm:lodash, grunt-legacy-log
Bump lodash from 4.17.21 to 4.18.1
Open 3 days ago
d33naz/shesnotcrazybook #13
npm:lodash
Bump the npm_and_yarn group across 1 directory with 14 updates
Open 3 days ago
stupidkubik/kanban-board-app #10
npm:vite
npm:next
+12 more
Bump the npm_and_yarn group across 1 directory with 9 updates
Closed 3 days ago
stefanteitge/rc-cloud #21
npm:follow-redirects
npm:lodash
+7 more
chore(deps): bump the npm_and_yarn group across 1 directory with 12 updates
Open 3 days ago
xiaomizhoubaobei/302_image_toolbox #25
npm:cross-spawn
npm:nanoid
+10 more
chore(deps): bump the npm_and_yarn group across 4 directories with 14 updates
Open 3 days ago
Dargon789/safe-apps-sdk #199
npm:lodash
npm:node-forge
+3 more
Bump lodash from 4.17.20 to 4.18.1 in /javascript
Closed 3 days ago
e5pe0n/demo #5
npm:lodash
Bump lodash from 4.17.21 to 4.18.1
Open 4 days ago
FlyteWizard/csc-seng-heat-outlines #37
npm:lodash
chore(deps): bump the npm_and_yarn group across 6 directories with 20 updates
Open 4 days ago
loveyou001/wizard #19
npm:axios
npm:follow-redirects
+5 more
Bump lodash-es from 4.17.23 to 4.18.1
Open 4 days ago
alveusgg/alveusgg #2094
npm:lodash-es
Bump the npm_and_yarn group across 12 directories with 6 updates
Closed 4 days ago
gagan0123/jetpack #19
npm:undici
npm:lodash
+2 more
chore(deps): bump lodash-es from 4.17.23 to 4.18.1
Open 4 days ago
rebekah-create/inbox-zero-rebekah #25
npm:lodash-es
Bump the npm_and_yarn group across 1 directory with 8 updates
Closed 4 days ago
fharisorg/repo #1
npm:vite
npm:postcss
+5 more
Actions
Advisory Details
| Published: | April 01, 2026 about 2 months ago |
| Updated: | May 18, 2026 about 4 hours ago |
| CVSS Score: | 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
| EPSS: | 0.04% 14th percentile |
| Source: | Github |
| Classification: | GENERAL |
| UUID: | GSA_kwCzR0hTQS1yNWZyLXJqeHItNjZqY84ABUmW |
PR Statistics
PR Status
Open
1997 (53.7%)
Merged
0 (0.0%)
Closed
1720 (46.3%)
Update Types
Major
1329 (8.0%)
Minor
9052 (54.3%)
Patch
6106 (36.6%)
References
- https://github.com/lodash/lodash/security/advisories/GHSA-r5fr-rjxr-66jc
- https://nvd.nist.gov/vuln/detail/CVE-2026-4800
- https://github.com/lodash/lodash/commit/3469357cff396a26c363f8c1b5a91dde28ba4b1c
- https://cna.openjsf.org/security-advisories.html
- https://github.com/advisories/GHSA-35jh-r3h4-6jhm
- https://github.com/advisories/GHSA-r5fr-rjxr-66jc