VYPR

npm package

lodash.template

pkg:npm/lodash.template

Vulnerabilities (2)

  • CVE-2026-4800HigMar 31, 2026
    affected >= 4.0.0, < 4.18.0fixed 4.18.0

    Impact: The fix for CVE-2021-23337 (https://github.com/advisories/GHSA-35jh-r3h4-6jhm) added validation for the variable option in _.template but did not apply the same validation to options.imports key names. Both paths flow into the same Function() constructor sink. When an a

  • CVE-2021-23337Feb 15, 2021
    affected <= 4.5.0

    Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.