## CVE-2026-4800: Critical Lodash RCE Flaw Discovered in fosrl/pangolin Docker Image (CVSS 9.8)
Security researchers have identified a critical remote code execution vulnerability in the popular `fosrl/pangolin:1.18.1` Docker image, stemming from a compromised lodash package. Tracked as CVE-2026-4800 with a near-maximum CVSS score of 9.8, the flaw enables arbitrary code execution through unfiltered inputs in template imports. Organizations running this image face significant risk of host system compromise if attackers can control or influence template data fed into the vulnerable lodash instance.

The vulnerability was uncovered during a routine Trivy container image scan, revealing that the lodash dependency bundled within pangolin contains a template injection weakness. Unlike typical supply chain compromises, this flaw appears native to how the image packages lodash rather than a malicious modification. The critical severity rating places it among the most dangerous vulnerabilities currently documented, exceeding thresholds that typically trigger emergency patching cycles across enterprise environments. Developers using this image for automated workflows, data processing pipelines, or as base components in larger systems should treat this as an immediate remediation priority.

The exposure vector centers on template imports processed through lodash's templating engine, where insufficient sanitization permits injection payloads. Organizations leveraging pangolin in production clusters, CI/CD pipelines, or containerized microservices should verify their exact image versions and consider rebuilding from patched sources or implementing compensating controls. Security teams are advised to audit running containers for this specific image tag and assess whether template inputs originate from untrusted sources. The fosrl/pangolin repository maintainers have been notified, though no patched version or official mitigation guidance has been released at time of publication.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: CVE-2026-4800, lodash, RCE, docker, vulnerability
- **Credibility**: unverified
- **Published**: 2026-05-01 22:54:06
- **ID**: 78923
- **URL**: https://whisperx.ai/en/intel/78923