DEBIAN-CVE-2026-4800

See a problem?
Please try reporting it to the source first.
Source
https://security-tracker.debian.org/tracker/CVE-2026-4800
Import Source
https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-4800.json
JSON Data
https://api.osv.dev/v1/vulns/DEBIAN-CVE-2026-4800
Upstream
  • CVE-2026-4800
Published
2026-03-31T20:16:29.660Z
Modified
2026-04-08T09:02:45.972743Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

Impact: The fix for CVE-2021-23337 (https://github.com/advisories/GHSA-35jh-r3h4-6jhm) added validation for the variable option in _.template but did not apply the same validation to options.imports key names. Both paths flow into the same Function() constructor sink. When an application passes untrusted input as options.imports key names, an attacker can inject default-parameter expressions that execute arbitrary code at template compilation time. Additionally, _.template uses assignInWith to merge imports, which enumerates inherited properties via for..in. If Object.prototype has been polluted by any other vector, the polluted keys are copied into the imports object and passed to Function(). Patches: Users should upgrade to version 4.18.0. Workarounds: Do not pass untrusted input as key names in options.imports. Only use developer-controlled, static key names.

References

Affected packages

Debian:11 / node-lodash

Package

Name
node-lodash
Purl
pkg:deb/debian/node-lodash?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

4.*
4.17.21+dfsg+~cs8.31.173-1
4.17.21+dfsg+~cs8.31.189.20210220-1
4.17.21+dfsg+~cs8.31.189.20210220-2~bpo11+1
4.17.21+dfsg+~cs8.31.189.20210220-2
4.17.21+dfsg+~cs8.31.189.20210220-3
4.17.21+dfsg+~cs8.31.196.20210220-1
4.17.21+dfsg+~cs8.31.196.20210220-2
4.17.21+dfsg+~cs8.31.198.20210220-1
4.17.21+dfsg+~cs8.31.198.20210220-2
4.17.21+dfsg+~cs8.31.198.20210220-3
4.17.21+dfsg+~cs8.31.198.20210220-4
4.17.21+dfsg+~cs8.31.198.20210220-5
4.17.21+dfsg+~cs8.31.198.20210220-6
4.17.21+dfsg+~cs8.31.198.20210220-7
4.17.21+dfsg+~cs8.31.198.20210220-8
4.17.21+dfsg+~cs8.31.198.20210220-9~bpo11+1
4.17.21+dfsg+~cs8.31.198.20210220-9~bpo11+2
4.17.21+dfsg+~cs8.31.198.20210220-9
4.17.21+dfsg+~cs8.31.198.20210220-10
4.17.23+dfsg-1
4.18.1+dfsg-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Database specific

source 
"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-4800.json"

Debian:12 / node-lodash

Package

Name
node-lodash
Purl
pkg:deb/debian/node-lodash?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

4.*
4.17.21+dfsg+~cs8.31.198.20210220-9
4.17.21+dfsg+~cs8.31.198.20210220-10
4.17.23+dfsg-1
4.18.1+dfsg-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Database specific

source 
"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-4800.json"

Debian:13 / node-lodash

Package

Name
node-lodash
Purl
pkg:deb/debian/node-lodash?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

4.*
4.17.21+dfsg+~cs8.31.198.20210220-9
4.17.21+dfsg+~cs8.31.198.20210220-10
4.17.23+dfsg-1
4.18.1+dfsg-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Database specific

source 
"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-4800.json"

Debian:14 / node-lodash

Package

Name
node-lodash
Purl
pkg:deb/debian/node-lodash?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.18.1+dfsg-1

Affected versions

4.*
4.17.21+dfsg+~cs8.31.198.20210220-9
4.17.21+dfsg+~cs8.31.198.20210220-10
4.17.23+dfsg-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Database specific

source 
"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-4800.json"