underscore

npm2 known CVEs affecting this package

Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.

CVEs affecting underscorepage 1 of 1

CVE-2021-23358LOWCVSS 3.3EG 3.3✓ Fixed in 1.12.1
2021-03-29
The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Injection via the template function, particularly when a variable property is passed as an argument as it is not saniti…
CVE-2026-27601MEDIUMCVSS 5.9EG 5.9✓ Fixed in 1.13.8
2026-03-03
Underscore.js is a utility-belt library for JavaScript. Prior to 1.13.8, the _.flatten and _.isEqual functions use recursion without a depth limit. Under very specific conditions, detailed below, an attacker could exploit this in a Denial …

Check whether underscore is used in your infrastructure

EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for underscore CVEs against the assets you own.

Start Free Scan →