CVE-2026-27601: Underscore.js has unlimited recursion in _.flatten and _.isEqual, potential for DoS attack

Overview

Severity

High (CVSS 7.5)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Exploit Status

Not Exploited

Patch Tuesday

2026-Mar

Released

2026-03-07

EPSS Score

0.04% (percentile: 13.3%)

Affected Products (11)

Open Source Software

• azl3 boost 1.83.0-2 on Azure Linux 3.0
• cbl2 cyrus-sasl 2.1.28-4 on CBL Mariner 2.0
• cbl2 cyrus-sasl-bootstrap 2.1.28-4 on CBL Mariner 2.0
• azl3 cyrus-sasl 2.1.28-8 on Azure Linux 3.0
• azl3 cyrus-sasl-bootstrap 2.1.28-8 on Azure Linux 3.0
• azl3 krb5 1.21.3-3 on Azure Linux 3.0
• cbl2 python-sphinx 4.4.0-3 on CBL Mariner 2.0
• cbl2 python-sqlalchemy 1.4.32-2 on CBL Mariner 2.0
• cbl2 rsyslog 8.2204.1-4 on CBL Mariner 2.0
• azl3 rsyslog 8.2308.0-5 on Azure Linux 3.0

Mariner

• azl3 numpy 1.26.3-4 on Azure Linux 3.0

Revision History

• 2026-03-07: Information published.