CVE-2021-23358

CVE-2021-23358 concerns the Underscore.js package. Multiple connected documents confirm the vulnerability affects versions up to 1.13.0-2 and earlier than 1.13.0-2 (e.g., 1.3.2 and 1.12.1 and prior), describing Arbitrary Code Injection via the template function when a variable property is passed ...

CVE-2026-27601

CVE-2026-27601 affects Underscore.js prior to 1.13.8. The vulnerability arises when _.flatten or _.isEqual recursively processes deeply nested, untrusted input without a depth limit, enabling a Denial of Service via stack overflow under specific data structures (e.g., inputs created via JSON.pars...