PT-2026-29336 · Lodash+3 · Lodash+3

Bugbunny-Research

+7

·

Published

2021-05-06

·

Updated

2026-07-03

·

CVE-2026-4800

CVSS v3.1

9.8

Critical

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions lodash versions prior to 4.18.0
Description The software contains a flaw related to template compilation. Specifically, insufficient validation of key names within the options.imports object used by the .template function can allow an attacker to inject default-parameter expressions, leading to arbitrary code execution. The issue arises because validation applied to the option variable is not extended to the options.imports key names. Furthermore, the use of assignInWith can introduce vulnerabilities if Object.prototype has been compromised, potentially copying polluted keys into the imports object and ultimately executing malicious code.
Recommendations Upgrade to version 4.18.0. Do not pass untrusted input as key names in options.imports. Only use developer-controlled, static key names.

Exploit

Fix

Code Injection

Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

ALSA-2026:10710
ALSA-2026:10713
ALSA-2026:19167
BDU:2026-09406
CLEANSTART-2026-AD27625
CLEANSTART-2026-BE61221
CLEANSTART-2026-CE10526
CLEANSTART-2026-KS09647
CLEANSTART-2026-LC05413
CLEANSTART-2026-NB51079
CLEANSTART-2026-TW25027
CLEANSTART-2026-TZ34913
CLEANSTART-2026-XR95601
CVE-2026-4800
GHSA-35JH-R3H4-6JHM
GHSA-R5FR-RJXR-66JC
RHSA-2026:10710
RHSA-2026:10713
RHSA-2026:11454
RHSA-2026:11469
RHSA-2026:11470
RHSA-2026:11471
RHSA-2026:11493
RHSA-2026:11494
RHSA-2026:11495
RHSA-2026:11516
RHSA-2026:19008
RHSA-2026:19167
RHSA-2026:24331
RHSA-2026:24762
USN-8411-1

Affected Products

Linuxmint
Rocky Linux
Ubuntu
Lodash