underscore — CVE history (npm)

underscore

2 CVEs affect the underscore npm package (highest CVSS 5.9). Latest disclosed: 2026-03-03. Full CVE history sourced from NVD.

Summary

Package
underscore (npm)
Total CVEs
2
Actively exploited (CISA KEV)
0
Highest CVSS
5.9
Latest disclosed
2026-03-03

Recent CVEs (top 2)

CVESeverityCVSSKEVPublishedSummary
CVE-2026-27601Medium5.92026-03-03Underscore.js is a utility-belt library for JavaScript.
CVE-2021-23358Low3.32021-03-29The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Injection via the template function, particularly when a variable property is passed as an argument as it is not saniti…

All-time worst (top 2 by CVSS)

CVESeverityCVSSKEVPublishedSummary
CVE-2026-27601Medium5.92026-03-03Underscore.js is a utility-belt library for JavaScript.
CVE-2021-23358Low3.32021-03-29The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Injection via the template function, particularly when a variable property is passed as an argument as it is not saniti…