PT-2026-29336 · Lodash+3 · Lodash+3

Bugbunny-Research

+7

·

Publicado

2026-03-31

·

Atualizado

2026-06-10

·

CVE-2026-4800

CVSS v3.1

9.8

Crítica

VetorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions lodash versions prior to 4.18.0
Description The software contains a flaw related to template compilation. Specifically, insufficient validation of key names within the options.imports object used by the .template function can allow an attacker to inject default-parameter expressions, leading to arbitrary code execution. The issue arises because validation applied to the option variable is not extended to the options.imports key names. Furthermore, the use of assignInWith can introduce vulnerabilities if Object.prototype has been compromised, potentially copying polluted keys into the imports object and ultimately executing malicious code.
Recommendations Upgrade to version 4.18.0. Do not pass untrusted input as key names in options.imports. Only use developer-controlled, static key names.

Correção

Code Injection

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-94

Identificadores relacionados

ALSA-2026:10710
ALSA-2026:10713
CLEANSTART-2026-AD27625
CLEANSTART-2026-BE61221
CLEANSTART-2026-CE10526
CLEANSTART-2026-KS09647
CLEANSTART-2026-LC05413
CLEANSTART-2026-NB51079
CLEANSTART-2026-TW25027
CLEANSTART-2026-TZ34913
CVE-2026-4800
GHSA-R5FR-RJXR-66JC
RHSA-2026:10710
RHSA-2026:10713
RHSA-2026:11454
RHSA-2026:11469
RHSA-2026:11470
RHSA-2026:11471
RHSA-2026:11493
RHSA-2026:11494
RHSA-2026:11495
RHSA-2026:11516
RHSA-2026:19008
RHSA-2026:19167
USN-8411-1

Produtos afetados

Linuxmint
Rocky Linux
Ubuntu
Lodash