What is code injection?

Code injection is a type of security vulnerability where an attacker inserts malicious code into a program, causing it to execute unintended commands. In the context of CVE-2026-4800, attackers can inject code into lodash templates via the `options.imports` parameter.

What is prototype pollution?

Prototype pollution is a vulnerability where an attacker modifies the properties of JavaScript's built-in object prototypes, such as `Object.prototype`. This can lead to unexpected behavior and potentially compromise the entire application. CVE-2026-2950 allows deletion of properties from built-in prototypes.

How do I update lodash to the latest version?

You can update lodash to the latest version using the npm package manager. Run the command `npm update lodash` in your project's root directory to update lodash to the latest version, which includes the necessary security patches.

What versions of lodash are affected by these vulnerabilities?

CVE-2026-4800 affects lodash versions prior to 4.18.0. CVE-2026-2950 affects lodash versions 4.17.23 and earlier. Updating to version 4.18.0 or later resolves both vulnerabilities.

NextGuard

Back to blog

CVSS 8.1CVE-2026-4800CVE-2026-2950

Lodash: Code Injection and Prototype Pollution (CVE-2026)

Multiple vulnerabilities in lodash versions prior to 4.18.0 allow code injection and prototype pollution. Update to 4.18.0 to mitigate these risks.

Published on April 3, 2026

Multiple vulnerabilities have been discovered in lodash, a popular utility library for Node.js. These vulnerabilities include code injection via `_.template` and prototype pollution via `_.unset` and `_.omit`. Users who pass untrusted input to these functions are at risk. Version 4.18.0 contains patches for these issues.

The highest CVSS score is 8.1, indicating a high-severity vulnerability.

What is Lodash?

Lodash is a JavaScript utility library providing modularity, performance, & extras. It delivers consistency, customization, & performance. Lodash simplifies working with arrays, objects, strings, numbers, and more.

It is widely used in Node.js and browser environments to perform common programming tasks more efficiently. Lodash offers a range of functions for tasks like mapping, filtering, and reducing data. For more information, you can search all lodash CVEs.

CVE-2026-4800: Code Injection in `_.template`

CVSS8.1

Affected versionsUsers of lodash versions prior to 4.18.0 are affected if they pass untrusted input as key names in `options.imports` to the `_.template` function.

High severity: Exploitable code execution with potential for significant impact.

Exploit Prediction Scoring System (EPSS) score of 0.068 indicates a low probability of exploitation.

Untrusted input passed as key names in `options.imports` to `_.template` can lead to code injection. An attacker can inject default-parameter expressions, executing arbitrary code during template compilation.

How to fix CVE-2026-4800 in Lodash

Patch immediately

1.Update lodash to version 4.18.0 or later.

Update lodash

npm update lodash

Workaround: Do not pass untrusted input as key names in `options.imports`. Only use developer-controlled, static key names.

NextGuard automatically flags CVE-2026-4800 if lodash appears in any of your monitored projects — no manual lookup required.

CVE-2026-2950: Prototype Pollution in `_.unset` and `_.omit`

CVSS6.5

Affected versionsUsers of lodash versions 4.17.23 and earlier are affected.

Medium severity: Limited impact, but potential for denial of service.

Exploit Prediction Scoring System (EPSS) score of 0.042 indicates a low probability of exploitation.

The `_.unset` and `_.omit` functions are vulnerable to prototype pollution due to insufficient input validation. An attacker can bypass previous security measures by using array-wrapped path segments to delete properties from built-in prototypes.

How to fix CVE-2026-2950 in Lodash

Patch immediately

1.Update lodash to version 4.18.0 or later.

Update lodash

npm update lodash

Workaround: None. Upgrade to the patched version.

Stay ahead of Node.js vulnerabilities

Proactively identify and remediate vulnerabilities in your Node.js projects. Use NextGuard to monitor your nodejs dependencies and receive alerts on new CVEs.

Compare Plans

Frequently asked questions

Update lodash to version 4.18.0 to address these critical security vulnerabilities. Regularly see all nodejs vulnerabilities to ensure your applications remain secure. Prioritize patching to mitigate potential risks.