CVE-2026-4800 (CVSS 7.5, GHSA-r5fr-rjxr-66jc) is a code injection vulnerability in lodash’s _.template function affecting lodash, lodash-es, and lodash-amd on npm; exploitation requires attacker-controlled data to reach the imports parameter of _.template, and current EPSS (0.068%) reflects low observed exploitation activity. Specific affected version ranges must be verified against NVD and OSV.dev before patching, as they were not confirmed in available source data. Inventory all applications and pipelines consuming lodash for _.template usage with external imports, upgrade to a confirmed patched version when available, and flag any code path passing user-controlled data into _.template imports as a critical remediation item regardless of patch status.