{"data":{"id":"fbaf59e6-4799-4cc6-9a21-6572f14e4066","title":"GHSA-r5fr-rjxr-66jc: lodash vulnerable to Code Injection via `_.template` imports key names","summary":"The lodash library has a code injection vulnerability in its `_.template` function (a tool that generates reusable text templates with dynamic values). Attackers can inject malicious code through the `options.imports` parameter, either by passing untrusted input as key names or by exploiting prototype pollution (a technique where attackers modify the default object properties that all objects inherit from). This allows arbitrary code to run when a template is compiled.","solution":"Users should upgrade to lodash version 4.18.0. The fix validates import key names using the same security checks applied to the `variable` option, and it changes how imports are merged to prevent inherited properties from being included.","labels":["security"],"sourceUrl":"https://github.com/advisories/GHSA-r5fr-rjxr-66jc","publishedAt":"2026-04-01T23:51:12.000Z","cveId":"CVE-2026-4800","cweIds":null,"cvssScore":null,"cvssSeverity":"high","severity":"high","attackType":[],"issueType":"vulnerability","affectedPackages":["lodash.template@>= 4.0.0, < 4.18.0 (fixed: 4.18.0)","lodash-amd@>= 4.0.0, <= 4.17.23 (fixed: 4.18.0)","lodash-es@>= 4.0.0, <= 4.17.23 (fixed: 4.18.0)","lodash@>= 4.0.0, <= 4.17.23 (fixed: 4.18.0)"],"affectedVendors":[],"affectedVendorsRaw":["lodash"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0.00068,"patchAvailable":true,"disclosureDate":"2026-04-01T23:51:12.000Z","capecIds":null,"crossRefCount":0,"attackSophistication":"moderate","impactType":["integrity"],"aiComponentTargeted":"framework","llmSpecific":false,"classifierConfidence":0.75,"researchCategory":null,"atlasIds":null}}