## Lodash Security Update: CVE-2026-4800 Exposes New Template Injection Vector in `options.imports`
A critical security update for the ubiquitous JavaScript utility library Lodash patches a newly disclosed vulnerability, CVE-2026-4800. This flaw exposes a fresh path for template injection attacks, stemming from incomplete validation in the `_.template` function. The vulnerability is a direct follow-on to the previously patched CVE-2021-23337, indicating a persistent and nuanced attack surface within the library's codebase.

The core of the issue lies in the `options.imports` parameter. While the fix for the earlier CVE-2021-23337 added security validation for the `variable` option, it failed to apply the same safeguards to the key names within the `options.imports` object. Both data paths ultimately feed into the same `Function()` constructor—a known sink for code execution—creating a dangerous oversight. This means an attacker could potentially craft malicious input via `imports` keys to execute arbitrary code in applications using the vulnerable versions of Lodash.

The update, moving from version 4.17.23 to 4.18.1, is flagged as a security priority. Given Lodash's massive adoption across millions of web and Node.js projects, this patch triggers a widespread dependency management scramble. Development teams must immediately review their dependency trees, as any delay in applying this update leaves applications exposed to a known and exploitable code injection risk. The recurrence of such flaws in template processing underscores the persistent challenge of securing dynamic code generation in foundational open-source libraries.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: cybersecurity, open-source, software-vulnerability, javascript, supply-chain
- **Credibility**: unverified
- **Published**: 2026-04-10 08:39:50
- **ID**: 58409
- **URL**: https://whisperx.ai/en/intel/58409