{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/lodash/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-4800"},{"cvss":7.2,"id":"CVE-2021-23337"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["lodash","template-injection","rce","cve-2026-4800"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-4800 exposes a critical vulnerability within the \u003ccode\u003e_.template\u003c/code\u003e function of the lodash library in versions prior to 4.18.0. This vulnerability arises from insufficient validation when processing user-supplied input within the \u003ccode\u003eoptions.imports\u003c/code\u003e object. Specifically, while a fix for CVE-2021-23337 addressed validation for the \u003ccode\u003evariable\u003c/code\u003e option, it failed to extend the same rigorous checks to the key names within \u003ccode\u003eoptions.imports\u003c/code\u003e. Attackers can exploit this oversight by injecting malicious default-parameter expressions as key names in \u003ccode\u003eoptions.imports\u003c/code\u003e, triggering arbitrary code execution during the template compilation phase. This poses a significant risk, especially in applications that accept untrusted input to configure lodash templates, potentially leading to full system compromise. Furthermore, the vulnerability can be exacerbated if the \u003ccode\u003eObject.prototype\u003c/code\u003e is polluted, allowing inherited properties to be injected into the \u003ccode\u003eimports\u003c/code\u003e object, increasing the attack surface.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe application receives untrusted input intended for use in a lodash template.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious payload containing JavaScript code within the key names of the \u003ccode\u003eoptions.imports\u003c/code\u003e object. This payload leverages the default parameter expression vulnerability.\u003c/li\u003e\n\u003cli\u003eThe application passes the attacker-controlled \u003ccode\u003eoptions.imports\u003c/code\u003e object to the \u003ccode\u003e_.template\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003e_.template\u003c/code\u003e function processes the \u003ccode\u003eoptions.imports\u003c/code\u003e without proper validation of the key names.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eassignInWith\u003c/code\u003e function merges the provided imports, including the attacker-controlled key names and their malicious content, into the template context.\u003c/li\u003e\n\u003cli\u003eDuring template compilation, the JavaScript \u003ccode\u003eFunction()\u003c/code\u003e constructor is invoked, embedding the attacker\u0026rsquo;s injected code.\u003c/li\u003e\n\u003cli\u003eThe injected code executes within the context of the application, granting the attacker arbitrary code execution.\u003c/li\u003e\n\u003cli\u003eThe attacker can leverage this code execution to perform actions such as installing malware, exfiltrating sensitive data, or compromising other parts of the system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-4800 can lead to arbitrary code execution on the server or client machine where the vulnerable application is running. The severity of this vulnerability is high, as it allows attackers to potentially gain full control of the affected system. The number of potential victims is broad, including any application using a vulnerable version of lodash and processing untrusted input in template configurations. This could affect various sectors, including web applications, APIs, and server-side rendering frameworks. A successful attack could result in data breaches, service disruptions, and complete system compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to lodash version 4.18.0 or later to patch CVE-2026-4800, which implements proper validation for \u003ccode\u003eoptions.imports\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eImplement strict input validation on any data used to construct \u003ccode\u003eoptions.imports\u003c/code\u003e objects to prevent injection attacks.\u003c/li\u003e\n\u003cli\u003eApply the workaround by only using developer-controlled, static key names in \u003ccode\u003eoptions.imports\u003c/code\u003e to avoid passing untrusted input as key names.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Lodash Template Injection via options.imports\u003c/code\u003e to identify potential exploitation attempts in your environment.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-31T20:16:29Z","date_published":"2026-03-31T20:16:29Z","id":"/briefs/2026-03-lodash-template-injection/","summary":"CVE-2026-4800 allows attackers to inject arbitrary code at template compilation time via untrusted input passed as key names in the options.imports object of the _.template function in lodash versions prior to 4.18.0, potentially leading to remote code execution.","title":"lodash _.template Function Injection Vulnerability (CVE-2026-4800)","url":"https://feed.craftedsignal.io/briefs/2026-03-lodash-template-injection/"}],"language":"en","title":"CraftedSignal Threat Feed — Lodash","version":"https://jsonfeed.org/version/1.1"}