CVE-2021-23358

Arbitrary Code Execution in underscore

Description

The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Execution via the template function, particularly when a variable property is passed as an argument as it is not sanitized.

Patch Available

Fix available through Seal Security.  
No upgrade required, protect your application instantly.

Fix without upgrading

Score

Severity

Ecosystem

JavaScript

Publish Date

May 6, 2021

Modified Date

November 4, 2025

Score Vector

Affected Versions