underscore — CVE history (npm)
underscore
2 CVEs affect the underscore npm package (highest CVSS 5.9). Latest disclosed: 2026-03-03. Full CVE history sourced from NVD.
Summary
- Package
underscore(npm)- Total CVEs
2- Actively exploited (CISA KEV)
- 0
- Highest CVSS
5.9- Latest disclosed
- 2026-03-03
Recent CVEs (top 2)
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-27601 | Medium | 5.9 | — | 2026-03-03 | Underscore.js is a utility-belt library for JavaScript. |
CVE-2021-23358 | Low | 3.3 | — | 2021-03-29 | The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Injection via the template function, particularly when a variable property is passed as an argument as it is not saniti… |
All-time worst (top 2 by CVSS)
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-27601 | Medium | 5.9 | — | 2026-03-03 | Underscore.js is a utility-belt library for JavaScript. |
CVE-2021-23358 | Low | 3.3 | — | 2021-03-29 | The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Injection via the template function, particularly when a variable property is passed as an argument as it is not saniti… |