CVE-2026-4800

Name of the Vulnerable Software and Affected Versions lodash versions prior to 4.18.0

Description The software contains a flaw related to template compilation. Specifically, insufficient validation of key names within the options.imports object used by the .template function can allow an attacker to inject default-parameter expressions, leading to arbitrary code execution. The issue arises because validation applied to the option variable is not extended to the options.imports key names. Furthermore, the use of assignInWith can introduce vulnerabilities if Object.prototype has been compromised, potentially copying polluted keys into the imports object and ultimately executing malicious code.

Recommendations Upgrade to version 4.18.0. Do not pass untrusted input as key names in options.imports. Only use developer-controlled, static key names.