VDB
RHSA-2026%3A8498
RHSA-2026%3A8498
PUBLISHED
CVSS 8.100000381469727 HIGH
A flaw was found in lodash. The fix for CVE-2021-23337 added validation for the variable option in _.template but did not apply the same validation to options.imports key names. Both paths flow into the same Function() constructor sink. Additionally, _.template uses assignInWith to merge imports, which enumerates inherited properties via for..in. If Object.prototype has been polluted by any other vector, the polluted keys are copied into the imports object and passed to Function().
Risk Scores
CVSS 3.1
8.100000381469727
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Red Hat | registry.redhat.io/satellite/iop-remediations-rhel9@sha256:94bfbcac75fca25a6babc06844a05703c5e745939c62288131f56e039877601c_amd64 as a component of Red Hat Satellite 6.18 | registry.redhat.io/satellite/iop-remediations-rhel9@sha256:94bfbcac75fca25a6babc06844a05703c5e745939c62288131f56e039877601c_amd64 |
| Salesforce | flow | |
| lodash | lodash | |
| Red Hat | registry.redhat.io/satellite/iop-remediations-rhel9@sha256:94bfbcac75fca25a6babc06844a05703c5e745939c62288131f56e039877601c_amd64 as a component of Red Hat Satellite 6.18 | registry.redhat.io/satellite/iop-remediations-rhel9@sha256:94bfbcac75fca25a6babc06844a05703c5e745939c62288131f56e039877601c_amd64, *, * |
Timeline
- Apr 16, 2026 CVE Published
- Apr 29, 2026 Distribution Patch
- Apr 29, 2026 Distribution Patch
- Apr 29, 2026 Security Advisory
- Apr 29, 2026 Security Advisory
- Apr 29, 2026 Security Advisory
- Jun 23, 2026 CVE Updated
References
- https://access.redhat.com/errata/RHSA-2026:8498 advisory
- https://access.redhat.com/documentation/en-us/red_hat_satellite/6.18/html/updating_red_hat_satellite/index advisory
- https://access.redhat.com/security/cve/CVE-2026-30951 advisory
- https://access.redhat.com/security/cve/CVE-2026-4800 advisory
- https://access.redhat.com/security/updates/classification/ advisory
- https://catalog.redhat.com/software/containers/search advisory
- https://docs.redhat.com/en/documentation/red_hat_satellite/6.18/html/installing_satellite_server_in_a_connected_network_environment/performing-additional-configuration-on-server_satellite#installing-and-configuring-red-hat-lightspeed-in-satellite advisory
- https://docs.redhat.com/en/documentation/red_hat_satellite/6.18/html/installing_satellite_server_in_a_disconnected_network_environment/performing-additional-configuration#installing-and-configuring-red-hat-lightspeed-in-satellite advisory
- https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_8498.json advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=2453496 issue
- https://www.cve.org/CVERecord?id=CVE-2026-4800 advisory
- https://nvd.nist.gov/vuln/detail/CVE-2026-4800 advisory
- https://cna.openjsf.org/security-advisories.html advisory
- https://github.com/advisories/GHSA-35jh-r3h4-6jhm advisory
- https://github.com/lodash/lodash/commit/3469357cff396a26c363f8c1b5a91dde28ba4b1c advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=2446250 issue
- https://www.cve.org/CVERecord?id=CVE-2026-30951 advisory
- https://nvd.nist.gov/vuln/detail/CVE-2026-30951 advisory
- https://github.com/sequelize/sequelize/security/advisories/GHSA-6457-6jrx-69cr advisory