CVE-2026-4800: High-Severity Code Injection Flaw in lodash-es Library Exposes Applications

A newly disclosed high-severity vulnerability, CVE-2026-4800, exposes a critical code injection path in the widely used lodash-es JavaScript library. The flaw resides in the `_.template` utility, where insufficient validation of the `options.imports` key names allows an attacker to inject and execute arbitrary code during template compilation. This creates a direct vector for remote code execution if an application passes untrusted user input into this function.

The vulnerability is a bypass of a previous patch for CVE-2021-23337. While that fix added validation for the main `options` variable, it failed to apply the same security checks to the keys within the `options.imports` object. Both data paths ultimately flow into the same `Function()` constructor sink, a known dangerous pattern for code execution. Furthermore, the `_.template` function uses `assignInWith` to merge imports, which enumerates inherited properties via a `for..in` loop. This behavior introduces a secondary risk: if the `Object.prototype` has been polluted by a malicious actor, those properties could also be merged, potentially leading to further exploitation.

This vulnerability, tracked as CWE-94 (Improper Control of Generation of Code), directly impacts any application using the affected versions of lodash-es (specifically version 4.17.21) that utilizes the `_.template` function with user-controlled data. The flaw was discovered in the dependency tree of the `closenow.ai` project during a deep security scan. A fix is available in lodash-es version 4.18.0. Developers are under immediate pressure to upgrade, as the exploitation scenario is straightforward for attackers who can control input to the vulnerable function, risking complete compromise of the application environment.