Vulnerability-Lookup

WID-SEC-W-2026-1160

Vulnerability from csaf_certbund - Published: 2026-04-16 22:00 - Updated: 2026-05-04 22:00

Summary

Red Hat Enterprise Linux und Satellite (satellite/iop-remediations-rhel9 container image): Mehrere Schwachstellen

Severity

Hoch

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung: Red Hat Enterprise Linux (RHEL) ist eine populäre Linux-Distribution. Red Hat Satellite dient als zentrale Stelle für das Management, die Verteilung von Updates in Netzwerken mit Red Hat Enterprise Linux Systemen.

Angriff: Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Red Hat Enterprise Linux und Red Hat Satellite ausnutzen, um Informationen offenzulegen oder beliebigen Code auszuführen.

Betroffene Betriebssysteme: - Linux

CVE-2026-30951

Affected products

Known affected 5 products

Product	Identifier	Version
Red Hat Enterprise Linux Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:-`	—
Red Hat Satellite 6.18 Red Hat / Satellite	`cpe:/a:redhat:satellite:6.18`	6.18
Red Hat Enterprise Linux 9 Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:9`	9
Oracle Linux Oracle	`cpe:/o:oracle:linux:-`	—
RESF Rocky Linux RESF	`cpe:/o:resf:rocky_linux:-`	—

CVE-2026-4800

Affected products

Known affected 5 products

Product	Identifier	Version
Red Hat Enterprise Linux Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:-`	—
Red Hat Satellite 6.18 Red Hat / Satellite	`cpe:/a:redhat:satellite:6.18`	6.18
Red Hat Enterprise Linux 9 Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:9`	9
Oracle Linux Oracle	`cpe:/o:oracle:linux:-`	—
RESF Rocky Linux RESF	`cpe:/o:resf:rocky_linux:-`	—

References

23 references

URL	Category
https://wid.cert-bund.de/.well-known/csaf/white/2…	self
https://wid.cert-bund.de/portal/wid/securityadvis…	self
https://access.redhat.com/errata/RHSA-2026:8498	external
https://access.redhat.com/errata/RHSA-2026:10131	external
https://access.redhat.com/errata/RHSA-2026:10175	external
https://access.redhat.com/errata/RHSA-2026:10713	external
https://access.redhat.com/errata/RHSA-2026:10710	external
https://linux.oracle.com/errata/ELSA-2026-10710.html	external
https://errata.build.resf.org/RLSA-2026:10710	external
https://access.redhat.com/errata/RHSA-2026:11493	external
https://access.redhat.com/errata/RHSA-2026:11471	external
https://access.redhat.com/errata/RHSA-2026:11470	external
https://access.redhat.com/errata/RHSA-2026:11516	external
https://linux.oracle.com/errata/ELSA-2026-10713.html	external
https://access.redhat.com/errata/RHSA-2026:11454	external
https://access.redhat.com/errata/RHSA-2026:11469	external
https://access.redhat.com/errata/RHSA-2026:11494	external
https://access.redhat.com/errata/RHSA-2026:11495	external
https://access.redhat.com/errata/RHSA-2026:12277	external
https://access.redhat.com/errata/RHSA-2026:12279	external
https://access.redhat.com/errata/RHSA-2026:13553	external
https://access.redhat.com/errata/RHSA-2026:13571	external
https://access.redhat.com/errata/RHSA-2026:13545	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "hoch"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Red Hat Enterprise Linux (RHEL) ist eine popul\u00e4re Linux-Distribution.\r\nRed Hat Satellite dient als zentrale Stelle f\u00fcr das Management, die Verteilung von Updates in Netzwerken mit Red Hat Enterprise Linux Systemen.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Red Hat Enterprise Linux und Red Hat Satellite ausnutzen, um Informationen offenzulegen oder beliebigen Code auszuf\u00fchren.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Linux",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2026-1160 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2026/wid-sec-w-2026-1160.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2026-1160 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-1160"
      },
      {
        "category": "external",
        "summary": "RedHat Security Advisory vom 2026-04-16",
        "url": "https://access.redhat.com/errata/RHSA-2026:8498"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:10131 vom 2026-04-23",
        "url": "https://access.redhat.com/errata/RHSA-2026:10131"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:10175 vom 2026-04-23",
        "url": "https://access.redhat.com/errata/RHSA-2026:10175"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:10713 vom 2026-04-27",
        "url": "https://access.redhat.com/errata/RHSA-2026:10713"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:10710 vom 2026-04-27",
        "url": "https://access.redhat.com/errata/RHSA-2026:10710"
      },
      {
        "category": "external",
        "summary": "Oracle Linux Security Advisory ELSA-2026-10710 vom 2026-04-27",
        "url": "https://linux.oracle.com/errata/ELSA-2026-10710.html"
      },
      {
        "category": "external",
        "summary": "Rocky Linux Security Advisory RLSA-2026:10710 vom 2026-04-28",
        "url": "https://errata.build.resf.org/RLSA-2026:10710"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:11493 vom 2026-04-29",
        "url": "https://access.redhat.com/errata/RHSA-2026:11493"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:11471 vom 2026-04-29",
        "url": "https://access.redhat.com/errata/RHSA-2026:11471"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:11470 vom 2026-04-29",
        "url": "https://access.redhat.com/errata/RHSA-2026:11470"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:11516 vom 2026-04-29",
        "url": "https://access.redhat.com/errata/RHSA-2026:11516"
      },
      {
        "category": "external",
        "summary": "Oracle Linux Security Advisory ELSA-2026-10713 vom 2026-04-28",
        "url": "https://linux.oracle.com/errata/ELSA-2026-10713.html"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:11454 vom 2026-04-29",
        "url": "https://access.redhat.com/errata/RHSA-2026:11454"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:11469 vom 2026-04-29",
        "url": "https://access.redhat.com/errata/RHSA-2026:11469"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:11494 vom 2026-04-29",
        "url": "https://access.redhat.com/errata/RHSA-2026:11494"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:11495 vom 2026-04-29",
        "url": "https://access.redhat.com/errata/RHSA-2026:11495"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:12277 vom 2026-04-30",
        "url": "https://access.redhat.com/errata/RHSA-2026:12277"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:12279 vom 2026-04-30",
        "url": "https://access.redhat.com/errata/RHSA-2026:12279"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:13553 vom 2026-05-04",
        "url": "https://access.redhat.com/errata/RHSA-2026:13553"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:13571 vom 2026-05-05",
        "url": "https://access.redhat.com/errata/RHSA-2026:13571"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:13545 vom 2026-05-04",
        "url": "https://access.redhat.com/errata/RHSA-2026:13545"
      }
    ],
    "source_lang": "en-US",
    "title": "Red Hat Enterprise Linux und Satellite (satellite/iop-remediations-rhel9 container image): Mehrere Schwachstellen",
    "tracking": {
      "current_release_date": "2026-05-04T22:00:00.000+00:00",
      "generator": {
        "date": "2026-05-05T08:27:19.314+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.5.0"
        }
      },
      "id": "WID-SEC-W-2026-1160",
      "initial_release_date": "2026-04-16T22:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2026-04-16T22:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        },
        {
          "date": "2026-04-23T22:00:00.000+00:00",
          "number": "2",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2026-04-26T22:00:00.000+00:00",
          "number": "3",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2026-04-27T22:00:00.000+00:00",
          "number": "4",
          "summary": "Neue Updates von Rocky Enterprise Software Foundation aufgenommen"
        },
        {
          "date": "2026-04-28T22:00:00.000+00:00",
          "number": "5",
          "summary": "Neue Updates von Red Hat und Oracle Linux aufgenommen"
        },
        {
          "date": "2026-05-03T22:00:00.000+00:00",
          "number": "6",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2026-05-04T22:00:00.000+00:00",
          "number": "7",
          "summary": "Neue Updates von Red Hat aufgenommen"
        }
      ],
      "status": "final",
      "version": "7"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Oracle Linux",
            "product": {
              "name": "Oracle Linux",
              "product_id": "T004914",
              "product_identification_helper": {
                "cpe": "cpe:/o:oracle:linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Oracle"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "RESF Rocky Linux",
            "product": {
              "name": "RESF Rocky Linux",
              "product_id": "T032255",
              "product_identification_helper": {
                "cpe": "cpe:/o:resf:rocky_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "RESF"
      },
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat Enterprise Linux",
                "product": {
                  "name": "Red Hat Enterprise Linux",
                  "product_id": "67646",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:redhat:enterprise_linux:-"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "9",
                "product": {
                  "name": "Red Hat Enterprise Linux 9",
                  "product_id": "T052941",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:redhat:enterprise_linux:9"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Enterprise Linux"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "6.18",
                "product": {
                  "name": "Red Hat Satellite 6.18",
                  "product_id": "T052942",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:satellite:6.18"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Satellite"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2026-30951",
      "product_status": {
        "known_affected": [
          "67646",
          "T052942",
          "T052941",
          "T004914",
          "T032255"
        ]
      },
      "release_date": "2026-04-16T22:00:00.000+00:00",
      "title": "CVE-2026-30951"
    },
    {
      "cve": "CVE-2026-4800",
      "product_status": {
        "known_affected": [
          "67646",
          "T052942",
          "T052941",
          "T004914",
          "T032255"
        ]
      },
      "release_date": "2026-04-16T22:00:00.000+00:00",
      "title": "CVE-2026-4800"
    }
  ]
}

CVE-2026-30951 (GCVE-0-2026-30951)

Vulnerability from cvelistv5 – Published: 2026-03-10 20:22 – Updated: 2026-03-11 14:40

Title

Sequelize v6 Vulnerable to SQL Injection via JSON Column Cast Type

Summary

Sequelize is a Node.js ORM tool. Prior to 6.37.8, there is SQL injection via unescaped cast type in JSON/JSONB where clause processing. The _traverseJSON() function splits JSON path keys on :: to extract a cast type, which is interpolated raw into CAST(... AS <type>) SQL. An attacker who controls JSON object keys can inject arbitrary SQL and exfiltrate data from any table. This vulnerability is fixed in 6.37.8.

Severity ?

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE

CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Assigner

GitHub_M

References

1 reference

URL	Tags
https://github.com/sequelize/sequelize/security/a…	x_refsource_CONFIRM

Impacted products

1 product

Vendor	Product	Version
sequelize	sequelize	Affected: >= 6.0.0-beta.1, < 6.37.8

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-30951",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-11T14:40:09.586637Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-11T14:40:34.034Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "sequelize",
          "vendor": "sequelize",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 6.0.0-beta.1, \u003c 6.37.8"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Sequelize is a Node.js ORM tool. Prior to 6.37.8, there is SQL injection via unescaped cast type in JSON/JSONB where clause processing. The _traverseJSON() function splits JSON path keys on :: to extract a cast type, which is interpolated raw into CAST(... AS \u003ctype\u003e) SQL. An attacker who controls JSON object keys can inject arbitrary SQL and exfiltrate data from any table. This vulnerability is fixed in 6.37.8."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-89",
              "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-11T00:19:12.793Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/sequelize/sequelize/security/advisories/GHSA-6457-6jrx-69cr",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/sequelize/sequelize/security/advisories/GHSA-6457-6jrx-69cr"
        }
      ],
      "source": {
        "advisory": "GHSA-6457-6jrx-69cr",
        "discovery": "UNKNOWN"
      },
      "title": "Sequelize v6 Vulnerable to SQL Injection via JSON Column Cast Type"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-30951",
    "datePublished": "2026-03-10T20:22:46.150Z",
    "dateReserved": "2026-03-07T17:34:39.980Z",
    "dateUpdated": "2026-03-11T14:40:34.034Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-4800 (GCVE-0-2026-4800)

Vulnerability from cvelistv5 – Published: 2026-03-31 19:25 – Updated: 2026-03-31 20:37

Title

lodash vulnerable to Code Injection via `_.template` imports key names

Summary

Impact: The fix for CVE-2021-23337 (https://github.com/advisories/GHSA-35jh-r3h4-6jhm) added validation for the variable option in _.template but did not apply the same validation to options.imports key names. Both paths flow into the same Function() constructor sink. When an application passes untrusted input as options.imports key names, an attacker can inject default-parameter expressions that execute arbitrary code at template compilation time. Additionally, _.template uses assignInWith to merge imports, which enumerates inherited properties via for..in. If Object.prototype has been polluted by any other vector, the polluted keys are copied into the imports object and passed to Function(). Patches: Users should upgrade to version 4.18.0. Workarounds: Do not pass untrusted input as key names in options.imports. Only use developer-controlled, static key names.

Severity ?

8.1 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-94 - Improper Control of Generation of Code ('Code Injection')

Assigner

openjs

References

3 references

URL	Tags
https://github.com/advisories/GHSA-35jh-r3h4-6jhm
https://github.com/lodash/lodash/commit/3469357cf…
https://cna.openjsf.org/security-advisories.html

Impacted products

4 products

Vendor	Product	Version
lodash	lodash	Affected: 4.0.0 , < 4.18.0 (semver) Unaffected: 4.18.0 (semver)
lodash	lodash-es	Affected: 4.0.0 , < 4.18.0 (semver) Unaffected: 4.18.0 (semver)
lodash	lodash-amd	Affected: 4.0.0 , < 4.18.0 (semver) Unaffected: 4.18.0 (semver)
lodash	lodash.template	Affected: 4.0.0 , < 4.18.0 (semver) Unaffected: 4.18.0 (semver)

Credits

dolevmiz1 bugbunny-research M0nd0R UlisesGascon falsyvalues jonchurch threalwinky jdalton

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-4800",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-31T20:36:55.080392Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-31T20:37:03.964Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "packageURL": "pkg:npm/lodash",
          "product": "lodash",
          "vendor": "lodash",
          "versions": [
            {
              "lessThan": "4.18.0",
              "status": "affected",
              "version": "4.0.0",
              "versionType": "semver"
            },
            {
              "status": "unaffected",
              "version": "4.18.0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "packageURL": "pkg:npm/lodash-es",
          "product": "lodash-es",
          "vendor": "lodash",
          "versions": [
            {
              "lessThan": "4.18.0",
              "status": "affected",
              "version": "4.0.0",
              "versionType": "semver"
            },
            {
              "status": "unaffected",
              "version": "4.18.0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "packageURL": "pkg:npm/lodash-amd",
          "product": "lodash-amd",
          "vendor": "lodash",
          "versions": [
            {
              "lessThan": "4.18.0",
              "status": "affected",
              "version": "4.0.0",
              "versionType": "semver"
            },
            {
              "status": "unaffected",
              "version": "4.18.0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "packageURL": "pkg:npm/lodash.template",
          "product": "lodash.template",
          "vendor": "lodash",
          "versions": [
            {
              "lessThan": "4.18.0",
              "status": "affected",
              "version": "4.0.0",
              "versionType": "semver"
            },
            {
              "status": "unaffected",
              "version": "4.18.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "dolevmiz1"
        },
        {
          "lang": "en",
          "type": "reporter",
          "value": "bugbunny-research"
        },
        {
          "lang": "en",
          "type": "reporter",
          "value": "M0nd0R"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "UlisesGascon"
        },
        {
          "lang": "en",
          "type": "remediation reviewer",
          "value": "falsyvalues"
        },
        {
          "lang": "en",
          "type": "remediation reviewer",
          "value": "jonchurch"
        },
        {
          "lang": "en",
          "type": "reporter",
          "value": "threalwinky"
        },
        {
          "lang": "en",
          "type": "remediation reviewer",
          "value": "jdalton"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Impact:\n\nThe fix for CVE-2021-23337 (https://github.com/advisories/GHSA-35jh-r3h4-6jhm) added validation for the variable option in _.template but did not apply the same validation to options.imports key names. Both paths flow into the same Function() constructor sink.\n\nWhen an application passes untrusted input as options.imports key names, an attacker can inject default-parameter expressions that execute arbitrary code at template compilation time.\n\nAdditionally, _.template uses assignInWith to merge imports, which enumerates inherited properties via for..in. If Object.prototype has been polluted by any other vector, the polluted keys are copied into the imports object and passed to Function().\n\nPatches:\n\nUsers should upgrade to version 4.18.0.\n\nWorkarounds:\n\nDo not pass untrusted input as key names in options.imports. Only use developer-controlled, static key names."
            }
          ],
          "value": "Impact:\n\nThe fix for CVE-2021-23337 (https://github.com/advisories/GHSA-35jh-r3h4-6jhm) added validation for the variable option in _.template but did not apply the same validation to options.imports key names. Both paths flow into the same Function() constructor sink.\n\nWhen an application passes untrusted input as options.imports key names, an attacker can inject default-parameter expressions that execute arbitrary code at template compilation time.\n\nAdditionally, _.template uses assignInWith to merge imports, which enumerates inherited properties via for..in. If Object.prototype has been polluted by any other vector, the polluted keys are copied into the imports object and passed to Function().\n\nPatches:\n\nUsers should upgrade to version 4.18.0.\n\nWorkarounds:\n\nDo not pass untrusted input as key names in options.imports. Only use developer-controlled, static key names."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-94",
              "description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-31T19:25:55.987Z",
        "orgId": "ce714d77-add3-4f53-aff5-83d477b104bb",
        "shortName": "openjs"
      },
      "references": [
        {
          "url": "https://github.com/advisories/GHSA-35jh-r3h4-6jhm"
        },
        {
          "url": "https://github.com/lodash/lodash/commit/3469357cff396a26c363f8c1b5a91dde28ba4b1c"
        },
        {
          "url": "https://cna.openjsf.org/security-advisories.html"
        }
      ],
      "title": "lodash vulnerable to Code Injection via `_.template` imports key names",
      "x_generator": {
        "engine": "cve-kit 1.0.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "ce714d77-add3-4f53-aff5-83d477b104bb",
    "assignerShortName": "openjs",
    "cveId": "CVE-2026-4800",
    "datePublished": "2026-03-31T19:25:55.987Z",
    "dateReserved": "2026-03-25T09:12:38.355Z",
    "dateUpdated": "2026-03-31T20:37:03.964Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

WID-SEC-W-2026-1160

CVE-2026-30951 (GCVE-0-2026-30951)

CVE-2026-4800 (GCVE-0-2026-4800)

Tags

Sightings

Nomenclature