CVE-2026-4800 (GHSA-r5fr-rjxr-66jc) is a CVSS 8.1 code injection vulnerability in lodash’s _.template function affecting three npm packages (lodash, lodash-es, lodash-amd), exploitable when user-controlled data reaches the template imports option; EPSS is low (21st percentile) and no CISA KEV listing or active exploitation is confirmed at this time. Given lodash’s ubiquity across the npm ecosystem, organizations should immediately run dependency scans to identify exposure, audit application code for user-influenced _.template usage, and upgrade to the patched version once confirmed via the OSV advisory at osv.dev/vulnerability/GHSA-r5fr-rjxr-66jc.