The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Injection via the template function, particularly when a variable property is passed as an argument as it is not sanitized.

Published: 2021-03-29

CVSS: 7.2

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Download CVE-2021-23358 POC (Proof-of-Concept) here:

Tip: Download official Tor Browser at https://www.torproject.org/download/ to access .onion links.

https://connollyfinan.ie/poc-267-cve-2022-22719/

https://connollyfinan.ie/poc-85-cve-2023-2745/

https://connollyfinan.ie/poc-126-cve-2010-2730/

https://connollyfinan.ie/poc-72-cve-2025-43300/