ROOT-APP-NPM-CVE-2021-23337 CVE-2021-23337 in @rootio/lodash.template - Patched by Root

Root has patched CVE-2021-23337 in the @rootio/lodash.template package for Root:npm. Multiple fixed versions available...

Updated cockpit packages fix security vulnerabilities

CVE-2026-4631, Cockpit's remote login feature passes user-supplied hostnames and usernames from the web interface to the SSH client without validation or sanitization. An attacker with network access to the Cockpit web service can craft a single HTTP request to the login endpoint that injects...

Important: Red Hat Security Advisory: OpenShift Container Platform 4.20.23 security and extras update

Red Hat OpenShift Container Platform release 4.20.23 is now available with updates to packages and images that fix several bugs. This release includes a security update for Red Hat OpenShift Container Platform 4.20. Red Hat Product Security has rated this update as having a security impact of...

ALSA-2026:10710 Important: pcs security update

The pcs packages provide a command-line configuration system for the Pacemaker and Corosync utilities. Security Fixes: lodash: lodash: Arbitrary code execution via untrusted input in template imports CVE-2026-4800 For more details about the security issues, including the impact, a CVSS score,...

Linux Distros Unpatched Vulnerability : CVE-2026-4800

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Impact: The fix for CVE-2021-23337 https://github.com/advisories/GHSA-35jh-r3h4-6jhm added validation for the variable option in .template but did not apply the...

lodash vulnerable to Code Injection via `_.template` imports key names

Impact The fix for CVE-2021-23337 added validation for the variable option in .template but did not apply the same validation to options.imports key names. Both paths flow into the same Function constructor sink. When an application passes untrusted input as options.imports key names, an attacker...

org.webjars.npm:autolinker (>=0.24.1 <=0.28.1), org.webjars.npm:github-com-mattslocum-ng-webworker (=0.2.3) +10 more potentially affected by CVE-2021-23337 +1 more via org.webjars.npm:lodash.template (=4.5.0)

org.webjars.npm:lodash.template MAVEN version =4.5.0 is affected by a known vulnerability. The following packages have a transitive dependency on org.webjars.npm:lodash.template and may be impacted: - org.webjars.npm:autolinker =0.24.1, =2.9.0, =1.8.12, =3.5.0, =2.3.4, =2.5.17-beta.0 -...

Arbitrary Code Injection

Overview lodash.template is a The Lodash method .template exported as a Node.js module. Affected versions of this package are vulnerable to Arbitrary Code Injection due the improper validation of options.imports key names in .template. An attacker can execute arbitrary code at template compilatio...

Arbitrary Code Injection

Overview org.webjars.npm:lodash.template is a The Lodash method .template exported as a Node.js module. Affected versions of this package are vulnerable to Arbitrary Code Injection due the improper validation of options.imports key names in .template. An attacker can execute arbitrary code at...

Arbitrary Code Injection

Overview Affected versions of this package are vulnerable to Arbitrary Code Injection due the improper validation of options.imports key names in .template. An attacker can execute arbitrary code at template compilation time by injecting malicious expressions. If Object.prototype has been pollute...

Strapi plugins vulnerable to Server-Side Template Injection and Remote Code Execution in the Users-Permissions Plugin

Summary Strapi through 4.5.5 allows authenticated Server-Side Template Injection SSTI that can be exploited to execute arbitrary code on the server. Details Strapi through 4.5.5 allows authenticated Server-Side Template Injection SSTI that can be exploited to execute arbitrary code on the server....

GHSA-2H87-4Q2W-V4HF Strapi plugins vulnerable to Server-Side Template Injection and Remote Code Execution in the Users-Permissions Plugin

Summary Strapi through 4.5.5 allows authenticated Server-Side Template Injection SSTI that can be exploited to execute arbitrary code on the server. Details Strapi through 4.5.5 allows authenticated Server-Side Template Injection SSTI that can be exploited to execute arbitrary code on the server....

Malicious code in get-lodash-template-vars (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 7916d6bceee662db12088e55ab01e3ad32487d802c99bf7dc60e63c156d5bf0e Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

@cobalt-engine/co-validator (>=1.0.0 <=1.1.2), @cobalt-engine/ctl (=1.0.0) +31 more potentially affected by CVE-2021-23337 via lodash-template (=1.0.0)

lodash-template NPM version =1.0.0 is affected by a known vulnerability. The following packages have a transitive dependency on lodash-template and may be impacted: - @cobalt-engine/co-validator =1.0.0, =4.5.3, =3.0.0, =1.0.0, =0.1.10, =5.0.0, =2.0.0, =4.0.0, =1.0.1, =3.0.3, =3.0.0, =4.0.0, =4.2....

-tompan-reacttemplate (>=1.0.1 <=1.1.0), 02-infrastructure (=1.0.0) +54245 more potentially affected by CVE-2021-23337 via lodash.template (>=2.2.1 <=4.5.0)

lodash.template NPM version =2.2.1, =1.0.1, =0.0.2, =0.0.10 - 0x0.icu.anima =0.1.0 - 0xgank-tea-advice-pull =1.0.0 - 0xgank-tea-balance-pencil =1.0.0 - 0xgank-tea-brick-bell =1.0.0 - 0xgank-tea-cake-victory =1.0.0 - 0xgank-tea-central-compound =1.0.0 - 0xgank-tea-characteristic =1.0.0 -...

UBUNTU-CVE-2021-23337

Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function...

-tompan-reacttemplate (>=1.0.1 <=1.1.0), 02-infrastructure (=1.0.0) +54245 more potentially affected by CVE-2021-23337 via lodash.template (>=2.2.1 <=4.5.0)

lodash.template NPM version =2.2.1, =1.0.1, =0.0.2, =0.0.10 - 0x0.icu.anima =0.1.0 - 0xgank-tea-advice-pull =1.0.0 - 0xgank-tea-balance-pencil =1.0.0 - 0xgank-tea-brick-bell =1.0.0 - 0xgank-tea-cake-victory =1.0.0 - 0xgank-tea-central-compound =1.0.0 - 0xgank-tea-characteristic =1.0.0 -...

Code Injection

Overview lodash is a modern JavaScript utility library delivering modularity, performance, & extras. Affected versions of this package are vulnerable to Code Injection due the improper validation of options.variable key names in .template. An attacker can execute arbitrary code at template...