Lodash CVE-2026-4800 Flaw Enables Code Injection via Template Options

A high-severity vulnerability in lodash, one of the most widely downloaded JavaScript utility libraries on the internet, exposed a previously overlooked code path that allows attackers to inject executable code through crafted template options. The flaw, catalogued as CVE-2026-4800 and assigned a CVSS score of 8.1, was disclosed in a security advisory published March 31, 2026, and affects applications that pass untrusted input into lodash's _.template function.

The vulnerability traces directly to an incomplete fix. When developers patched CVE-2021-23337 five years ago, they added validation for the variable option inside _.template but left the options.imports key names unguarded. Both code paths funnel into the same Function() constructor sink, meaning attacker-controlled key names passed into options.imports can become carriers for injected default-parameter expressions that compile into live executable code at template compilation time. Object.prototype pollution in the runtime environment can escalate that risk further.

The attack requires no authenticated session and operates over the network, though the advisory categorized attack complexity as high. For web-facing services that render templates server-side, that combination is consequential: no credentials stand between a remote attacker and arbitrary code execution if untrusted input reaches the template engine unchecked.

The patched version is lodash 4.18.0. Organizations that cannot upgrade immediately were advised to block untrusted input from reaching options.imports key names and to verify that Object.prototype has not been polluted in affected runtime environments. No confirmed active exploitation was reported as of the advisory's publication, but maintainers urged treating the flaw as critical and applying mitigations without delay.

The practical challenge is scale. Lodash is embedded not just in applications that import it directly but in entire layers of transitive dependencies, meaning security teams cannot rely on first-party code audits alone. Multi-tenant platforms, server-side rendering pipelines, and CI/CD systems that compile templates against user-supplied data carry the highest exposure. The immediate 24-to-72-hour priority is running a full dependency tree inventory, scanning for any lodash instance below version 4.18.0, and queuing patches with the same urgency applied to a zero-day.

CVE-2026-4800 is also a case study in how partial fixes age poorly. The 2021 remediation narrowed the attack surface without eliminating it, and the residual gap went undetected long enough to require a new CVE designation years later. That pattern argues for periodic re-audits of prior vulnerability fixes, not just one-time patch application; a fix that was adequate when applied can become inadequate as security researchers probe adjacent code paths over time.