CVE-2026-4800

HIGH

lodash vulnerable to Code Injection via `_.template` imports key names

Title source: cna
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2026-4800. PoCs published by adminlove520, SvenLie, threalwinky.

AI-analyzed exploit summary The repository contains only a basic Next.js project structure with no exploit code or technical details related to CVE-2026-4800. It appears to be a placeholder or template project.

Description

Impact: The fix for CVE-2021-23337 (https://github.com/advisories/GHSA-35jh-r3h4-6jhm) added validation for the variable option in _.template but did not apply the same validation to options.imports key names. Both paths flow into the same Function() constructor sink. When an application passes untrusted input as options.imports key names, an attacker can inject default-parameter expressions that execute arbitrary code at template compilation time. Additionally, _.template uses assignInWith to merge imports, which enumerates inherited properties via for..in. If Object.prototype has been polluted by any other vector, the polluted keys are copied into the imports object and passed to Function(). Patches: Users should upgrade to version 4.18.0. Workarounds: Do not pass untrusted input as key names in options.imports. Only use developer-controlled, static key names.

Exploits (3)

nomisec STUB
by SvenLie · poc
https://github.com/SvenLie/next-rep-CVE-2026-4800

The repository contains only a basic Next.js project structure with no exploit code or technical details related to CVE-2026-4800. It appears to be a placeholder or template project.

Classification
Stub 95%
Attack Type
Other
Complexity
Trivial
Reliability
Theoretical
Target: Next.js (version unspecified)
No auth needed
Prerequisites: None identified
devstral-2 · analyzed Apr 08, 2026 Full analysis →
nomisec WORKING POC
by threalwinky · poc
https://github.com/threalwinky/CVE-2026-4800-POC

This repository contains a functional proof-of-concept exploit for CVE-2026-4800, demonstrating a prototype pollution vulnerability in Lodash that leads to remote code execution (RCE). The exploit leverages prototype pollution to inject malicious code into the `imports` property, which is then executed when Lodash processes template settings.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Lodash (version not explicitly specified, but likely 4.17.23 or earlier)
No auth needed
Prerequisites: Presence of Lodash in the target environment · Ability to execute arbitrary JavaScript in the context of the target application
devstral-2 · analyzed Apr 07, 2026 Full analysis →

References (3)

Core 3

Scores

CVSS v3 8.1
EPSS 0.0005
EPSS Percentile 14.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-94
Status published
Products (16)
lodash/lodash < 4.17.21
lodash/lodash 4.0.0 - 4.18.0
lodash/lodash 4.18.0
lodash/lodash-amd 4.0.0 - 4.18.0 (2 CPE variants)
lodash/lodash-amd 4.18.0
lodash/lodash-es < 4.17.21
lodash/lodash-es 4.0.0 - 4.18.0
lodash/lodash-es 4.18.0
lodash/lodash-rails < 4.17.21
lodash/lodash.template < 4.5.0
... and 6 more
Published Mar 31, 2026
Tracked Since Apr 01, 2026