AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

GHSA-r5fr-rjxr-66jc: lodash vulnerable to Code Injection via `_.template` imports key names

highvulnerability

security

Source: GitHub Advisory DatabaseApril 1, 2026CVE-2026-4800

Summary

The lodash library has a code injection vulnerability in its `_.template` function (a tool that generates reusable text templates with dynamic values). Attackers can inject malicious code through the `options.imports` parameter, either by passing untrusted input as key names or by exploiting prototype pollution (a technique where attackers modify the default object properties that all objects inherit from). This allows arbitrary code to run when a template is compiled.

Solution / Mitigation

Users should upgrade to lodash version 4.18.0. The fix validates import key names using the same security checks applied to the `variable` option, and it changes how imports are merged to prevent inherited properties from being included.

Vulnerability Details

EPSS (30-day exploit probability)

EPSS: 0.1%

Patch Available

Yes

Disclosure Date

April 1, 2026

Classification

Attack SophisticationModerate

Impact (CIA+S)

integrity

AI Component TargetedFramework

Affected Vendors

Affected Packages

lodash.template@>= 4.0.0, < 4.18.0 (fixed: 4.18.0)lodash-amd@>= 4.0.0, <= 4.17.23 (fixed: 4.18.0)lodash-es@>= 4.0.0, <= 4.17.23 (fixed: 4.18.0)lodash@>= 4.0.0, <= 4.17.23 (fixed: 4.18.0)

Monthly digest — independent AI security research

Original source: https://github.com/advisories/GHSA-r5fr-rjxr-66jc

First tracked: April 1, 2026 at 08:00 PM

Classified by LLM (prompt v3) · confidence: 75%