Lucene search
K

44 matches found

Nuclei
Nuclei
added yesterday9 views

Lodash Template - Server-Side Template Injection (RCE)

Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function. id: CVE-2021-23337 info: name: Lodash Template - Server-Side Template Injection RCE author: DhiyaneshDk severity: high description: | Lodash versions prior to 4.17.21 are vulnerable to Command Injectio...

7.2CVSS6.7AI score0.2241EPSS
Exploits3References4
RedHat Linux
RedHat Linux
added 2026/07/02 12:3 a.m.9 views

lodash: lodash: Arbitrary code execution via untrusted input in template imports

A flaw was found in lodash. The fix for CVE-2021-23337 added validation for the variable option in .template but did not apply the same validation to options.imports key names. Both paths flow into the same Function constructor sink. Additionally, .template uses assignInWith to merge imports, whi...

9.8CVSS6.5AI score0.01735EPSS
Exploits0References7
RedHat Linux
RedHat Linux
added 2026/06/02 5:41 p.m.11 views

lodash: lodash: Arbitrary code execution via untrusted input in template imports

A flaw was found in lodash. The fix for CVE-2021-23337 added validation for the variable option in .template but did not apply the same validation to options.imports key names. Both paths flow into the same Function constructor sink. Additionally, .template uses assignInWith to merge imports, whi...

9.8CVSS6.4AI score0.01735EPSS
Exploits0References7
RedHat Linux
RedHat Linux
added 2026/05/04 11:37 p.m.17 views

lodash: lodash: Arbitrary code execution via untrusted input in template imports

A flaw was found in lodash. The fix for CVE-2021-23337 added validation for the variable option in .template but did not apply the same validation to options.imports key names. Both paths flow into the same Function constructor sink. Additionally, .template uses assignInWith to merge imports, whi...

9.8CVSS6.1AI score0.01735EPSS
Exploits0References7
RedHat Linux
RedHat Linux
added 2026/04/29 5:57 a.m.16 views

lodash: lodash: Arbitrary code execution via untrusted input in template imports

A flaw was found in lodash. The fix for CVE-2021-23337 added validation for the variable option in .template but did not apply the same validation to options.imports key names. Both paths flow into the same Function constructor sink. Additionally, .template uses assignInWith to merge imports, whi...

9.8CVSS5.2AI score0.01735EPSS
Exploits0References7
vulnersOsv
vulnersOsv
added 2026/03/31 11:2 p.m.8 views

-fides-amor-et-lux (=1.0.0), -graphql-codegen-client-preset-swc-test (>=2.0.1 <=2.0.2) +49840 more potentially affected by CVE-2021-23337 +1 more via lodash (>=4.0.0 <=4.18.0)

lodash NPM version =4.0.0, =2.0.1, =1.0.49, =0.0.8, =0.2.0, =0.0.1, =1.0.0, =0.0.1, =1.0.7, =1.0.0, =1.0.0, =1.0.1 and more Source cves: CVE-2021-23337, CVE-2026-4800 Source advisory: SNYK:JS-LODASH-15869625...

9.8CVSS6.8AI score0.2241EPSS
Exploits3
vulnersOsv
vulnersOsv
added 2026/03/31 11:2 p.m.8 views

com.newmediaworks:nmw-oss-website (>=1.7.0 <=1.11.0), com.pragmatickm:website (>=1.10.0 <=2.0.0) +102 more potentially affected by CVE-2021-23337 +1 more via org.webjars.npm:lodash (>=4.0.0 <=4.17.5)

org.webjars.npm:lodash MAVEN version =4.0.0, =1.7.0, =1.10.0, =1.11.0, =1.7.0, =1.6.1, =1.11.0, =1.13.0, =1.0, =1.0, =1.0, =1.2.0, =3.5.0, =3.5.0, =3.5.0, =3.12.0 and more Source cves: CVE-2021-23337, CVE-2026-4800 Source advisory: SNYK:JAVA-ORGWEBJARSNPM-15869630...

9.8CVSS6.8AI score0.2241EPSS
Exploits3
vulnersOsv
vulnersOsv
added 2026/03/31 11:2 p.m.11 views

@dojo/cli-test-intern (>=0.1.0 <=2.0.0-beta3.1), express_mvc (>=4.1.1 <=4.3.10) +7 more potentially affected by CVE-2021-23337 +1 more via lodash-amd (>=4.16.4 <=4.17.23)

lodash-amd NPM version =4.16.4, =0.1.0, =4.1.1, =3.4.0, =0.0.1, =1.0.14, =0.0.7, =0.0.1, =0.1.5 - xirtam--matrix-operations =0.1.3 Source cves: CVE-2021-23337, CVE-2026-4800 Source advisory: SNYK:JS-LODASHAMD-15869626...

9.8CVSS6.8AI score0.2241EPSS
Exploits3
Snyk
Snyk
added 2026/03/31 11:2 p.m.6 views

Arbitrary Code Injection

Overview org.webjars.npm:lodash is a modern JavaScript utility library delivering modularity, performance, & extras. Affected versions of this package are vulnerable to Arbitrary Code Injection due the improper validation of options.imports key names in .template. An attacker can execute arbitrar...

9.8CVSS7.1AI score0.2241EPSS
Exploits3References2
Atlassian
Atlassian
added 2025/11/14 6:27 a.m.19 views

Command Injection Third-Party Dependency in Bitbucket Data Center and Server - CVE-2021-23337

This High severity vulnerability known as CVE-2021-23337 was introduced in 8.19.0, 8.19.1, 8.19.2, 8.19.3, 8.19.4, 8.19.5, 8.19.6, 8.19.7, 8.19.8, 8.19.9, 8.19.10, 8.19.11, 8.19.12, 8.19.13, 8.19.14, 8.19.15 of Bitbucket Data Center and Server. This vulnerability with a CVSS Score of 7.2 and a CV...

7.2CVSS6.8AI score0.2241EPSS
Exploits3
IBM Security Bulletins
IBM Security Bulletins
added 2025/07/23 4:15 p.m.15 views

Security Bulletin: DataStage on Cloud Pak for Data is vulnerable to command injection due to the lodash package (CVE-2021-23337)

Summary Lodash is used by DataStage on Cloud Pak for Data as part of data manipulation. Vulnerability Details CVEID:CVE-2021-23337 DESCRIPTION: Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function. CWE:CWE-94: Improper Control of Generation of Code 'Code...

7.2CVSS7.5AI score0.2241EPSS
Exploits3Affected Software1
IBM Security Bulletins
IBM Security Bulletins
added 2023/12/12 5:31 p.m.35 views

Security Bulletin: Watson Machine Learning Accelerator on Cloud Pak for Data Version is affected by multiple vulnerabilties

Summary Mutiple open source vulnerabilties affects Watson Machine Learning Accelerator on Cloud Pak for Data Version 2.3.3 and have been addressed in version 2.3.4. Vulnerability Details CVEID:CVE-2021-23566 DESCRIPTION: Nanoid could allow a local attacker to obtain sensitive information, caused ...

9.1CVSS9.6AI score0.42326EPSS
Exploits15Affected Software1
IBM Security Bulletins
IBM Security Bulletins
added 2023/09/07 10:42 a.m.56 views

Security Bulletin: Vulnerabilities found in Turf.js which is shipped with IBM® Intelligent Operations Center [CVE-2020-28500, CVE-2020-8203, CVE-2019-1010266, CVE-2019-10744, CVE-2021-23337 and CVE-2018-16487]

Summary Multiple vulnerabilities have been identified in Turf.js which is shipped with IBM® Intelligent Operations Center. Information about these vulnerabilities affecting IBM® Intelligent Operations Center have been published and addressed the applicable CVEs. Vulnerability Details...

9.1CVSS8.4AI score0.2241EPSS
Exploits8Affected Software1
IBM Security Bulletins
IBM Security Bulletins
added 2023/04/24 3:1 p.m.54 views

Security Bulletin: IBM Engineering Workflow Management (EWM) vulnerabilities CVE-2020-28500, CVE-2021-23337, CVE-2020-8203

Summary There are vulnerabilities CVE-2020-28500, CVE-2021-23337, CVE-2020-8203 which affects IBM Engineering Workflow Management EWM. Vulnerability Details CVEID:CVE-2020-9281 DESCRIPTION: CKEditor is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the...

7.4CVSS6.7AI score0.2241EPSS
Exploits6Affected Software1
IBM Security Bulletins
IBM Security Bulletins
added 2023/02/01 9:34 p.m.158 views

Security Bulletin: Vulnerability in Node.js lodash affects IBM Process Mining (CVE-2021-23337,CVE-2020-28500)

Summary There is a vulnerability in Node.js lodash that could allow remote execution of arbitrary commands. The code is used by IBM Process Mining. This bulletin identifies the security fixes to apply to address the vulnerability. Vulnerability Details CVEID:CVE-2021-23337 DESCRIPTION: Node.js...

7.2CVSS7.4AI score0.2241EPSS
Exploits4Affected Software1
IBM Security Bulletins
IBM Security Bulletins
added 2022/10/18 1:51 p.m.53 views

Security Bulletin: QRadar Pulse application add on to IBM QRadar SIEM is vulnerable to using components with known vulnerabilities

Summary The product includes vulnerable components e.g., framework libraries that may be identified and exploited with automated tools. IBM has released a new version which addresses the vulnerabilities. Vulnerability Details CVEID:CVE-2019-11358 DESCRIPTION: jQuery, as used in Drupal core, is...

9.8CVSS9.3AI score0.99019EPSS
Exploits37Affected Software1
IBM Security Bulletins
IBM Security Bulletins
added 2022/07/08 7:2 p.m.126 views

Security Bulletin: CVE-2021-23337

Summary Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function. Vulnerability Details CVEID: CVE-2021-23337 DESCRIPTION: Node.js lodash module could allow a remote authenticated attacker to execute arbitrary commands on the system, caused by a command...

7.2CVSS2.6AI score0.2241EPSS
Exploits3Affected Software1
IBM Security Bulletins
IBM Security Bulletins
added 2022/06/27 3:53 a.m.55 views

Security Bulletin: Vulnerabilities in lodash library affect Tivoli Netcool/OMNIbus WebGUI (CVE-2019-1010266, CVE-2020-28500, CVE-2018-16487, CVE-2018-3721, CVE-2020-8203, CVE-2021-23337, CVE-2019-10744)

Summary lodash is used by Tivoli Netcool/OMNIbus WebGUI as part of its web client component. The fix includes lodash v4.17.21. Vulnerability Details CVEID: CVE-2019-1010266 DESCRIPTION: Lodash is vulnerable to a denial of service, caused by uncontrolled resource consumption in Date handler. By...

9.1CVSS0.9AI score0.2241EPSS
Exploits9Affected Software1
IBM Security Bulletins
IBM Security Bulletins
added 2022/05/24 6:34 p.m.87 views

Security Bulletin: Node.js as used by IBM Security QRadar Analyst Workflow App for IBM QRadar SIEM is vulnerable to multiple vulnerabilities

Summary Node.js as used by IBM Security QRadar Analyst Workflow App for IBM QRadar SIEM is vulnerable to multiple vulnerabilities. IBM Security QRadar Analyst Workflow App for IBM QRadar SIEM has addressed the applicable CVEs. Vulnerability Details CVEID: CVE-2020-28469 DESCRIPTION: Node.js...

7.5CVSS1.1AI score0.2241EPSS
Exploits8Affected Software1
IBM Security Bulletins
IBM Security Bulletins
added 2022/03/23 11:4 a.m.236 views

Security Bulletin: Lodash versions prior to 4.17.21 vulnerability in PowerHA System Mirror for AIX

Summary Lodash versions prior to 4.17.21 caused vulnerability in PowerHA System Mirror for AIX releases in service. Vulnerability Details CVEID: CVE-2021-23337 DESCRIPTION: Node.js lodash module could allow a remote authenticated attacker to execute arbitrary commands on the system, caused by a...

7.2CVSS7.6AI score0.2241EPSS
Exploits4Affected Software1
Rows per page
Query Builder