VDB

RHSA-2026%3A8498

RHSA-2026%3A8498 PUBLISHED CVSS 8.100000381469727 HIGH

A flaw was found in lodash. The fix for CVE-2021-23337 added validation for the variable option in _.template but did not apply the same validation to options.imports key names. Both paths flow into the same Function() constructor sink. Additionally, _.template uses assignInWith to merge imports, which enumerates inherited properties via for..in. If Object.prototype has been polluted by any other vector, the polluted keys are copied into the imports object and passed to Function().

Risk Scores

CVSS 3.1
8.100000381469727
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected Products

VendorProductVersions
Red Hatregistry.redhat.io/satellite/iop-remediations-rhel9@sha256:94bfbcac75fca25a6babc06844a05703c5e745939c62288131f56e039877601c_amd64 as a component of Red Hat Satellite 6.18registry.redhat.io/satellite/iop-remediations-rhel9@sha256:94bfbcac75fca25a6babc06844a05703c5e745939c62288131f56e039877601c_amd64
Salesforceflow
lodashlodash
Red Hatregistry.redhat.io/satellite/iop-remediations-rhel9@sha256:94bfbcac75fca25a6babc06844a05703c5e745939c62288131f56e039877601c_amd64 as a component of Red Hat Satellite 6.18registry.redhat.io/satellite/iop-remediations-rhel9@sha256:94bfbcac75fca25a6babc06844a05703c5e745939c62288131f56e039877601c_amd64, *, *

Timeline

  • Apr 16, 2026 CVE Published
  • Apr 29, 2026 Distribution Patch
  • Apr 29, 2026 Distribution Patch
  • Apr 29, 2026 Security Advisory
  • Apr 29, 2026 Security Advisory
  • Apr 29, 2026 Security Advisory
  • Jun 23, 2026 CVE Updated

References

Open in Interactive Console →
$ Console Community · 100/wk Open console ›