Skip to content

underscore.js needs to be updated because of CVE-2026-27601 #40857

Open
Open
underscore.js needs to be updated because of CVE-2026-27601#40857
Labels
Issue: ready for confirmationReported on 2.4.9
@Hexmage

Description

@Hexmage
Hexmage
opened on Jun 5, 2026

Preconditions and environment

  • Magento version: All of them including the current 2.4.9 alpha

Steps to reproduce

underscore.js has an security vulnerability which can potentially be abused to Ddos the website in certain scenario's ( CVE-2026-27601).

This has been fixed in 1.13.8 but the latest version in the repo is 1.13.7/

Expected result

n/a

Actual result

n/a

Additional information

No response

Release note

No response

Triage and priority

  • Severity: S0 - Affects critical data or functionality and leaves users without workaround.
  • Severity: S1 - Affects critical data or functionality and forces users to employ a workaround.
  • Severity: S2 - Affects non-critical data or functionality and forces users to employ a workaround.
  • Severity: S3 - Affects non-critical data or functionality and does not force users to employ a workaround.
  • Severity: S4 - Affects aesthetics, professional look and feel, “quality” or “usability”.

Metadata

Metadata

Assignees

No one assigned

    Labels

    Issue: ready for confirmationReported on 2.4.9

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    Issue Confirmation and Triage Board
    Status
    Ready for Confirmation

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions