npm package
lodash.template
pkg:npm/lodash.template
Vulnerabilities (2)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-4800 | Hig | 8.1 | >= 4.0.0, < 4.18.0 | 4.18.0 | Mar 31, 2026 | Impact: The fix for CVE-2021-23337 (https://github.com/advisories/GHSA-35jh-r3h4-6jhm) added validation for the variable option in _.template but did not apply the same validation to options.imports key names. Both paths flow into the same Function() constructor sink. When an a | |
| CVE-2021-23337 | — | <= 4.5.0 | — | Feb 15, 2021 | Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function. |
- affected >= 4.0.0, < 4.18.0fixed 4.18.0
Impact: The fix for CVE-2021-23337 (https://github.com/advisories/GHSA-35jh-r3h4-6jhm) added validation for the variable option in _.template but did not apply the same validation to options.imports key names. Both paths flow into the same Function() constructor sink. When an a
- CVE-2021-23337Feb 15, 2021affected <= 4.5.0
Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.