Lodash Security Patch v4.18.1 Addresses Critical Template Injection Vulnerability (CVE-2026-4800)

A critical security vulnerability in the ubiquitous JavaScript utility library Lodash has been patched, exposing a path for remote code execution. The flaw, tracked as CVE-2026-4800, resides in the `_.template` function and stems from incomplete validation of user input. While a previous patch (CVE-2021-23337) secured the `variable` option, the new advisory reveals that the `options.imports` key names were left unprotected, creating a parallel attack vector that flows into the same dangerous `Function()` constructor sink.

This vulnerability specifically affects the `lodash` package versions prior to 4.18.1. The update to version 4.18.1 is classified as a security release, directly addressing this oversight. The issue was identified and disclosed through GitHub's security advisory system, with the fix now being propagated via automated dependency management tools like RenovateBot. The patch is critical because the `_.template` function is widely used for client-side templating, and exploitation could allow attackers to execute arbitrary code in the context of the application.

The discovery underscores a persistent class of vulnerability in template engines and highlights the cascading risk when security fixes are not comprehensively applied across all code paths. For development teams, this is a high-priority update. Any application using an outdated version of Lodash is potentially vulnerable to template injection attacks, which could lead to data theft, system compromise, or further network intrusion. Immediate dependency review and upgrade to lodash v4.18.1 or later is the necessary mitigation.