CVE-2026-4800 (CVSS 7.3, CWE-94) is a code injection vulnerability in lodash’s _.template function affecting the lodash, lodash-es, and lodash-amd npm packages; attackers who control import key names passed to the template options object can execute arbitrary JavaScript in the application runtime. EPSS is low (0.00068, 21st percentile) and no CISA KEV listing exists, but lodash’s pervasive presence as a direct and transitive dependency across the npm ecosystem means the blast radius of vulnerable deployments is broad. Priority actions are to inventory all applications with lodash dependencies using npm ls or SCA tooling, identify any code paths where user-supplied data reaches _.template imports, patch to the vendor-confirmed fixed version per the NVD entry (https://nvd.nist.gov/vuln/detail/CVE-2026-4800) and OSV advisory (https://osv.dev/vulnerability/GHSA-r5fr-rjxr-66jc), and add CWE-94 coverage to SAST rules for dynamic code generation patterns.