Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2026-27601 (GCVE-0-2026-27601)
Vulnerability from cvelistv5 – Published: 2026-03-03 22:38 – Updated: 2026-03-04 16:44
VLAI?
EPSS
Title
Underscore.js has unlimited recursion in _.flatten and _.isEqual, potential for DoS attack
Summary
Underscore.js is a utility-belt library for JavaScript. Prior to 1.13.8, the _.flatten and _.isEqual functions use recursion without a depth limit. Under very specific conditions, detailed below, an attacker could exploit this in a Denial of Service (DoS) attack by triggering a stack overflow. Untrusted input must be used to create a recursive datastructure, for example using JSON.parse, with no enforced depth limit. The datastructure thus created must be passed to _.flatten or _.isEqual. In the case of _.flatten, the vulnerability can only be exploited if it is possible for a remote client to prepare a datastructure that consists of arrays at all levels AND if no finite depth limit is passed as the second argument to _.flatten. In the case of _.isEqual, the vulnerability can only be exploited if there exists a code path in which two distinct datastructures that were submitted by the same remote client are compared using _.isEqual. For example, if a client submits data that are stored in a database, and the same client can later submit another datastructure that is then compared to the data that were saved in the database previously, OR if a client submits a single request, but its data are parsed twice, creating two non-identical but equivalent datastructures that are then compared. Exceptions originating from the call to _.flatten or _.isEqual, as a result of a stack overflow, are not being caught. This vulnerability is fixed in 1.13.8.
Severity ?
CWE
- CWE-770 - Allocation of Resources Without Limits or Throttling
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| jashkenas | underscore |
Affected:
< 1.13.8
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-27601",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-04T16:44:25.481747Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-04T16:44:40.856Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "underscore",
"vendor": "jashkenas",
"versions": [
{
"status": "affected",
"version": "\u003c 1.13.8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Underscore.js is a utility-belt library for JavaScript. Prior to 1.13.8, the _.flatten and _.isEqual functions use recursion without a depth limit. Under very specific conditions, detailed below, an attacker could exploit this in a Denial of Service (DoS) attack by triggering a stack overflow. Untrusted input must be used to create a recursive datastructure, for example using JSON.parse, with no enforced depth limit. The datastructure thus created must be passed to _.flatten or _.isEqual. In the case of _.flatten, the vulnerability can only be exploited if it is possible for a remote client to prepare a datastructure that consists of arrays at all levels AND if no finite depth limit is passed as the second argument to _.flatten. In the case of _.isEqual, the vulnerability can only be exploited if there exists a code path in which two distinct datastructures that were submitted by the same remote client are compared using _.isEqual. For example, if a client submits data that are stored in a database, and the same client can later submit another datastructure that is then compared to the data that were saved in the database previously, OR if a client submits a single request, but its data are parsed twice, creating two non-identical but equivalent datastructures that are then compared. Exceptions originating from the call to _.flatten or _.isEqual, as a result of a stack overflow, are not being caught. This vulnerability is fixed in 1.13.8."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770: Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-03T22:38:38.955Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/jashkenas/underscore/security/advisories/GHSA-qpx9-hpmf-5gmw",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/jashkenas/underscore/security/advisories/GHSA-qpx9-hpmf-5gmw"
},
{
"name": "https://github.com/jashkenas/underscore/commit/411e222eb0ca5d570cc4f6315c02c05b830ed2b4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/jashkenas/underscore/commit/411e222eb0ca5d570cc4f6315c02c05b830ed2b4"
},
{
"name": "https://github.com/jashkenas/underscore/commit/a6e23ae9647461ec33ad9f92a2ecfc220eea0a84",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/jashkenas/underscore/commit/a6e23ae9647461ec33ad9f92a2ecfc220eea0a84"
}
],
"source": {
"advisory": "GHSA-qpx9-hpmf-5gmw",
"discovery": "UNKNOWN"
},
"title": "Underscore.js has unlimited recursion in _.flatten and _.isEqual, potential for DoS attack"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-27601",
"datePublished": "2026-03-03T22:38:38.955Z",
"dateReserved": "2026-02-20T19:43:14.602Z",
"dateUpdated": "2026-03-04T16:44:40.856Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2026-27601\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-03-03T23:15:55.560\",\"lastModified\":\"2026-03-05T21:08:35.320\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Underscore.js is a utility-belt library for JavaScript. Prior to 1.13.8, the _.flatten and _.isEqual functions use recursion without a depth limit. Under very specific conditions, detailed below, an attacker could exploit this in a Denial of Service (DoS) attack by triggering a stack overflow. Untrusted input must be used to create a recursive datastructure, for example using JSON.parse, with no enforced depth limit. The datastructure thus created must be passed to _.flatten or _.isEqual. In the case of _.flatten, the vulnerability can only be exploited if it is possible for a remote client to prepare a datastructure that consists of arrays at all levels AND if no finite depth limit is passed as the second argument to _.flatten. In the case of _.isEqual, the vulnerability can only be exploited if there exists a code path in which two distinct datastructures that were submitted by the same remote client are compared using _.isEqual. For example, if a client submits data that are stored in a database, and the same client can later submit another datastructure that is then compared to the data that were saved in the database previously, OR if a client submits a single request, but its data are parsed twice, creating two non-identical but equivalent datastructures that are then compared. Exceptions originating from the call to _.flatten or _.isEqual, as a result of a stack overflow, are not being caught. This vulnerability is fixed in 1.13.8.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":8.2,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"PRESENT\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"NONE\",\"vulnIntegrityImpact\":\"NONE\",\"vulnAvailabilityImpact\":\"HIGH\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-770\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:underscorejs:underscore:*:*:*:*:*:node.js:*:*\",\"versionEndExcluding\":\"1.13.8\",\"matchCriteriaId\":\"413BC96A-931D-45FE-A85A-EC967B6D43D7\"}]}]}],\"references\":[{\"url\":\"https://github.com/jashkenas/underscore/commit/411e222eb0ca5d570cc4f6315c02c05b830ed2b4\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/jashkenas/underscore/commit/a6e23ae9647461ec33ad9f92a2ecfc220eea0a84\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/jashkenas/underscore/security/advisories/GHSA-qpx9-hpmf-5gmw\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Patch\",\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-27601\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-04T16:44:25.481747Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-04T16:44:34.757Z\"}}], \"cna\": {\"title\": \"Underscore.js has unlimited recursion in _.flatten and _.isEqual, potential for DoS attack\", \"source\": {\"advisory\": \"GHSA-qpx9-hpmf-5gmw\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 8.2, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"PRESENT\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"NONE\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"HIGH\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"jashkenas\", \"product\": \"underscore\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 1.13.8\"}]}], \"references\": [{\"url\": \"https://github.com/jashkenas/underscore/security/advisories/GHSA-qpx9-hpmf-5gmw\", \"name\": \"https://github.com/jashkenas/underscore/security/advisories/GHSA-qpx9-hpmf-5gmw\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/jashkenas/underscore/commit/411e222eb0ca5d570cc4f6315c02c05b830ed2b4\", \"name\": \"https://github.com/jashkenas/underscore/commit/411e222eb0ca5d570cc4f6315c02c05b830ed2b4\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/jashkenas/underscore/commit/a6e23ae9647461ec33ad9f92a2ecfc220eea0a84\", \"name\": \"https://github.com/jashkenas/underscore/commit/a6e23ae9647461ec33ad9f92a2ecfc220eea0a84\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Underscore.js is a utility-belt library for JavaScript. Prior to 1.13.8, the _.flatten and _.isEqual functions use recursion without a depth limit. Under very specific conditions, detailed below, an attacker could exploit this in a Denial of Service (DoS) attack by triggering a stack overflow. Untrusted input must be used to create a recursive datastructure, for example using JSON.parse, with no enforced depth limit. The datastructure thus created must be passed to _.flatten or _.isEqual. In the case of _.flatten, the vulnerability can only be exploited if it is possible for a remote client to prepare a datastructure that consists of arrays at all levels AND if no finite depth limit is passed as the second argument to _.flatten. In the case of _.isEqual, the vulnerability can only be exploited if there exists a code path in which two distinct datastructures that were submitted by the same remote client are compared using _.isEqual. For example, if a client submits data that are stored in a database, and the same client can later submit another datastructure that is then compared to the data that were saved in the database previously, OR if a client submits a single request, but its data are parsed twice, creating two non-identical but equivalent datastructures that are then compared. Exceptions originating from the call to _.flatten or _.isEqual, as a result of a stack overflow, are not being caught. This vulnerability is fixed in 1.13.8.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-770\", \"description\": \"CWE-770: Allocation of Resources Without Limits or Throttling\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-03-03T22:38:38.955Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-27601\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-04T16:44:40.856Z\", \"dateReserved\": \"2026-02-20T19:43:14.602Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-03-03T22:38:38.955Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
FKIE_CVE-2026-27601
Vulnerability from fkie_nvd - Published: 2026-03-03 23:15 - Updated: 2026-03-05 21:08
Severity ?
Summary
Underscore.js is a utility-belt library for JavaScript. Prior to 1.13.8, the _.flatten and _.isEqual functions use recursion without a depth limit. Under very specific conditions, detailed below, an attacker could exploit this in a Denial of Service (DoS) attack by triggering a stack overflow. Untrusted input must be used to create a recursive datastructure, for example using JSON.parse, with no enforced depth limit. The datastructure thus created must be passed to _.flatten or _.isEqual. In the case of _.flatten, the vulnerability can only be exploited if it is possible for a remote client to prepare a datastructure that consists of arrays at all levels AND if no finite depth limit is passed as the second argument to _.flatten. In the case of _.isEqual, the vulnerability can only be exploited if there exists a code path in which two distinct datastructures that were submitted by the same remote client are compared using _.isEqual. For example, if a client submits data that are stored in a database, and the same client can later submit another datastructure that is then compared to the data that were saved in the database previously, OR if a client submits a single request, but its data are parsed twice, creating two non-identical but equivalent datastructures that are then compared. Exceptions originating from the call to _.flatten or _.isEqual, as a result of a stack overflow, are not being caught. This vulnerability is fixed in 1.13.8.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| underscorejs | underscore | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:underscorejs:underscore:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "413BC96A-931D-45FE-A85A-EC967B6D43D7",
"versionEndExcluding": "1.13.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Underscore.js is a utility-belt library for JavaScript. Prior to 1.13.8, the _.flatten and _.isEqual functions use recursion without a depth limit. Under very specific conditions, detailed below, an attacker could exploit this in a Denial of Service (DoS) attack by triggering a stack overflow. Untrusted input must be used to create a recursive datastructure, for example using JSON.parse, with no enforced depth limit. The datastructure thus created must be passed to _.flatten or _.isEqual. In the case of _.flatten, the vulnerability can only be exploited if it is possible for a remote client to prepare a datastructure that consists of arrays at all levels AND if no finite depth limit is passed as the second argument to _.flatten. In the case of _.isEqual, the vulnerability can only be exploited if there exists a code path in which two distinct datastructures that were submitted by the same remote client are compared using _.isEqual. For example, if a client submits data that are stored in a database, and the same client can later submit another datastructure that is then compared to the data that were saved in the database previously, OR if a client submits a single request, but its data are parsed twice, creating two non-identical but equivalent datastructures that are then compared. Exceptions originating from the call to _.flatten or _.isEqual, as a result of a stack overflow, are not being caught. This vulnerability is fixed in 1.13.8."
},
{
"lang": "es",
"value": "Underscore.js es una librer\u00eda de utilidades para JavaScript. Antes de la versi\u00f3n 1.13.8, las funciones _.flatten y _.isEqual usan recursi\u00f3n sin un l\u00edmite de profundidad. Bajo condiciones muy espec\u00edficas, detalladas a continuaci\u00f3n, un atacante podr\u00eda explotar esto en un ataque de denegaci\u00f3n de servicio (DoS) al desencadenar un desbordamiento de pila. Se debe usar entrada no confiable para crear una estructura de datos recursiva, por ejemplo, usando JSON.parse, sin un l\u00edmite de profundidad impuesto. La estructura de datos as\u00ed creada debe pasarse a _.flatten o _.isEqual. En el caso de _.flatten, la vulnerabilidad solo puede ser explotada si es posible para un cliente remoto preparar una estructura de datos que consista en arrays en todos los niveles Y si no se pasa un l\u00edmite de profundidad finito como segundo argumento a _.flatten. En el caso de _.isEqual, la vulnerabilidad solo puede ser explotada si existe una ruta de c\u00f3digo en la que dos estructuras de datos distintas que fueron enviadas por el mismo cliente remoto se comparan usando _.isEqual. Por ejemplo, si un cliente env\u00eda datos que se almacenan en una base de datos, y el mismo cliente puede luego enviar otra estructura de datos que luego se compara con los datos que se guardaron en la base de datos previamente, O si un cliente env\u00eda una \u00fanica solicitud, pero sus datos se analizan dos veces, creando dos estructuras de datos no id\u00e9nticas pero equivalentes que luego se comparan. Las excepciones que se originan de la llamada a _.flatten o _.isEqual, como resultado de un desbordamiento de pila, no est\u00e1n siendo capturadas. Esta vulnerabilidad est\u00e1 corregida en la versi\u00f3n 1.13.8."
}
],
"id": "CVE-2026-27601",
"lastModified": "2026-03-05T21:08:35.320",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2026-03-03T23:15:55.560",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/jashkenas/underscore/commit/411e222eb0ca5d570cc4f6315c02c05b830ed2b4"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/jashkenas/underscore/commit/a6e23ae9647461ec33ad9f92a2ecfc220eea0a84"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Patch",
"Vendor Advisory"
],
"url": "https://github.com/jashkenas/underscore/security/advisories/GHSA-qpx9-hpmf-5gmw"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-770"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
OPENSUSE-SU-2026:10440-1
Vulnerability from csaf_opensuse - Published: 2026-03-26 00:00 - Updated: 2026-03-26 00:00Summary
jupyter-nbclassic-1.3.3-1.1 on GA media
Severity
Moderate
Notes
Title of the patch: jupyter-nbclassic-1.3.3-1.1 on GA media
Description of the patch: These are all security issues fixed in the jupyter-nbclassic-1.3.3-1.1 package on the GA media of openSUSE Tumbleweed.
Patchnames: openSUSE-Tumbleweed-2026-10440
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
5.3 (Medium)
Vendor Fix
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
References
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "jupyter-nbclassic-1.3.3-1.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the jupyter-nbclassic-1.3.3-1.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2026-10440",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2026_10440-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-27601 page",
"url": "https://www.suse.com/security/cve/CVE-2026-27601/"
}
],
"title": "jupyter-nbclassic-1.3.3-1.1 on GA media",
"tracking": {
"current_release_date": "2026-03-26T00:00:00Z",
"generator": {
"date": "2026-03-26T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2026:10440-1",
"initial_release_date": "2026-03-26T00:00:00Z",
"revision_history": [
{
"date": "2026-03-26T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "jupyter-nbclassic-1.3.3-1.1.aarch64",
"product": {
"name": "jupyter-nbclassic-1.3.3-1.1.aarch64",
"product_id": "jupyter-nbclassic-1.3.3-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "python311-nbclassic-1.3.3-1.1.aarch64",
"product": {
"name": "python311-nbclassic-1.3.3-1.1.aarch64",
"product_id": "python311-nbclassic-1.3.3-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "python313-nbclassic-1.3.3-1.1.aarch64",
"product": {
"name": "python313-nbclassic-1.3.3-1.1.aarch64",
"product_id": "python313-nbclassic-1.3.3-1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "jupyter-nbclassic-1.3.3-1.1.ppc64le",
"product": {
"name": "jupyter-nbclassic-1.3.3-1.1.ppc64le",
"product_id": "jupyter-nbclassic-1.3.3-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "python311-nbclassic-1.3.3-1.1.ppc64le",
"product": {
"name": "python311-nbclassic-1.3.3-1.1.ppc64le",
"product_id": "python311-nbclassic-1.3.3-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "python313-nbclassic-1.3.3-1.1.ppc64le",
"product": {
"name": "python313-nbclassic-1.3.3-1.1.ppc64le",
"product_id": "python313-nbclassic-1.3.3-1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "jupyter-nbclassic-1.3.3-1.1.s390x",
"product": {
"name": "jupyter-nbclassic-1.3.3-1.1.s390x",
"product_id": "jupyter-nbclassic-1.3.3-1.1.s390x"
}
},
{
"category": "product_version",
"name": "python311-nbclassic-1.3.3-1.1.s390x",
"product": {
"name": "python311-nbclassic-1.3.3-1.1.s390x",
"product_id": "python311-nbclassic-1.3.3-1.1.s390x"
}
},
{
"category": "product_version",
"name": "python313-nbclassic-1.3.3-1.1.s390x",
"product": {
"name": "python313-nbclassic-1.3.3-1.1.s390x",
"product_id": "python313-nbclassic-1.3.3-1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "jupyter-nbclassic-1.3.3-1.1.x86_64",
"product": {
"name": "jupyter-nbclassic-1.3.3-1.1.x86_64",
"product_id": "jupyter-nbclassic-1.3.3-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "python311-nbclassic-1.3.3-1.1.x86_64",
"product": {
"name": "python311-nbclassic-1.3.3-1.1.x86_64",
"product_id": "python311-nbclassic-1.3.3-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "python313-nbclassic-1.3.3-1.1.x86_64",
"product": {
"name": "python313-nbclassic-1.3.3-1.1.x86_64",
"product_id": "python313-nbclassic-1.3.3-1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "jupyter-nbclassic-1.3.3-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:jupyter-nbclassic-1.3.3-1.1.aarch64"
},
"product_reference": "jupyter-nbclassic-1.3.3-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jupyter-nbclassic-1.3.3-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:jupyter-nbclassic-1.3.3-1.1.ppc64le"
},
"product_reference": "jupyter-nbclassic-1.3.3-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jupyter-nbclassic-1.3.3-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:jupyter-nbclassic-1.3.3-1.1.s390x"
},
"product_reference": "jupyter-nbclassic-1.3.3-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jupyter-nbclassic-1.3.3-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:jupyter-nbclassic-1.3.3-1.1.x86_64"
},
"product_reference": "jupyter-nbclassic-1.3.3-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-nbclassic-1.3.3-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python311-nbclassic-1.3.3-1.1.aarch64"
},
"product_reference": "python311-nbclassic-1.3.3-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-nbclassic-1.3.3-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python311-nbclassic-1.3.3-1.1.ppc64le"
},
"product_reference": "python311-nbclassic-1.3.3-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-nbclassic-1.3.3-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python311-nbclassic-1.3.3-1.1.s390x"
},
"product_reference": "python311-nbclassic-1.3.3-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-nbclassic-1.3.3-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python311-nbclassic-1.3.3-1.1.x86_64"
},
"product_reference": "python311-nbclassic-1.3.3-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-nbclassic-1.3.3-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python313-nbclassic-1.3.3-1.1.aarch64"
},
"product_reference": "python313-nbclassic-1.3.3-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-nbclassic-1.3.3-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python313-nbclassic-1.3.3-1.1.ppc64le"
},
"product_reference": "python313-nbclassic-1.3.3-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-nbclassic-1.3.3-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python313-nbclassic-1.3.3-1.1.s390x"
},
"product_reference": "python313-nbclassic-1.3.3-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-nbclassic-1.3.3-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python313-nbclassic-1.3.3-1.1.x86_64"
},
"product_reference": "python313-nbclassic-1.3.3-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-27601",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-27601"
}
],
"notes": [
{
"category": "general",
"text": "Underscore.js is a utility-belt library for JavaScript. Prior to 1.13.8, the _.flatten and _.isEqual functions use recursion without a depth limit. Under very specific conditions, detailed below, an attacker could exploit this in a Denial of Service (DoS) attack by triggering a stack overflow. Untrusted input must be used to create a recursive datastructure, for example using JSON.parse, with no enforced depth limit. The datastructure thus created must be passed to _.flatten or _.isEqual. In the case of _.flatten, the vulnerability can only be exploited if it is possible for a remote client to prepare a datastructure that consists of arrays at all levels AND if no finite depth limit is passed as the second argument to _.flatten. In the case of _.isEqual, the vulnerability can only be exploited if there exists a code path in which two distinct datastructures that were submitted by the same remote client are compared using _.isEqual. For example, if a client submits data that are stored in a database, and the same client can later submit another datastructure that is then compared to the data that were saved in the database previously, OR if a client submits a single request, but its data are parsed twice, creating two non-identical but equivalent datastructures that are then compared. Exceptions originating from the call to _.flatten or _.isEqual, as a result of a stack overflow, are not being caught. This vulnerability is fixed in 1.13.8.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:jupyter-nbclassic-1.3.3-1.1.aarch64",
"openSUSE Tumbleweed:jupyter-nbclassic-1.3.3-1.1.ppc64le",
"openSUSE Tumbleweed:jupyter-nbclassic-1.3.3-1.1.s390x",
"openSUSE Tumbleweed:jupyter-nbclassic-1.3.3-1.1.x86_64",
"openSUSE Tumbleweed:python311-nbclassic-1.3.3-1.1.aarch64",
"openSUSE Tumbleweed:python311-nbclassic-1.3.3-1.1.ppc64le",
"openSUSE Tumbleweed:python311-nbclassic-1.3.3-1.1.s390x",
"openSUSE Tumbleweed:python311-nbclassic-1.3.3-1.1.x86_64",
"openSUSE Tumbleweed:python313-nbclassic-1.3.3-1.1.aarch64",
"openSUSE Tumbleweed:python313-nbclassic-1.3.3-1.1.ppc64le",
"openSUSE Tumbleweed:python313-nbclassic-1.3.3-1.1.s390x",
"openSUSE Tumbleweed:python313-nbclassic-1.3.3-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-27601",
"url": "https://www.suse.com/security/cve/CVE-2026-27601"
},
{
"category": "external",
"summary": "SUSE Bug 1259157 for CVE-2026-27601",
"url": "https://bugzilla.suse.com/1259157"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:jupyter-nbclassic-1.3.3-1.1.aarch64",
"openSUSE Tumbleweed:jupyter-nbclassic-1.3.3-1.1.ppc64le",
"openSUSE Tumbleweed:jupyter-nbclassic-1.3.3-1.1.s390x",
"openSUSE Tumbleweed:jupyter-nbclassic-1.3.3-1.1.x86_64",
"openSUSE Tumbleweed:python311-nbclassic-1.3.3-1.1.aarch64",
"openSUSE Tumbleweed:python311-nbclassic-1.3.3-1.1.ppc64le",
"openSUSE Tumbleweed:python311-nbclassic-1.3.3-1.1.s390x",
"openSUSE Tumbleweed:python311-nbclassic-1.3.3-1.1.x86_64",
"openSUSE Tumbleweed:python313-nbclassic-1.3.3-1.1.aarch64",
"openSUSE Tumbleweed:python313-nbclassic-1.3.3-1.1.ppc64le",
"openSUSE Tumbleweed:python313-nbclassic-1.3.3-1.1.s390x",
"openSUSE Tumbleweed:python313-nbclassic-1.3.3-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:jupyter-nbclassic-1.3.3-1.1.aarch64",
"openSUSE Tumbleweed:jupyter-nbclassic-1.3.3-1.1.ppc64le",
"openSUSE Tumbleweed:jupyter-nbclassic-1.3.3-1.1.s390x",
"openSUSE Tumbleweed:jupyter-nbclassic-1.3.3-1.1.x86_64",
"openSUSE Tumbleweed:python311-nbclassic-1.3.3-1.1.aarch64",
"openSUSE Tumbleweed:python311-nbclassic-1.3.3-1.1.ppc64le",
"openSUSE Tumbleweed:python311-nbclassic-1.3.3-1.1.s390x",
"openSUSE Tumbleweed:python311-nbclassic-1.3.3-1.1.x86_64",
"openSUSE Tumbleweed:python313-nbclassic-1.3.3-1.1.aarch64",
"openSUSE Tumbleweed:python313-nbclassic-1.3.3-1.1.ppc64le",
"openSUSE Tumbleweed:python313-nbclassic-1.3.3-1.1.s390x",
"openSUSE Tumbleweed:python313-nbclassic-1.3.3-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-03-26T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2026-27601"
}
]
}
OPENSUSE-SU-2026:10424-1
Vulnerability from csaf_opensuse - Published: 2026-03-25 00:00 - Updated: 2026-03-25 00:00Summary
jupyter-bqplot-jupyterlab-0.5.46-14.1 on GA media
Severity
Moderate
Notes
Title of the patch: jupyter-bqplot-jupyterlab-0.5.46-14.1 on GA media
Description of the patch: These are all security issues fixed in the jupyter-bqplot-jupyterlab-0.5.46-14.1 package on the GA media of openSUSE Tumbleweed.
Patchnames: openSUSE-Tumbleweed-2026-10424
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
7.5 (High)
Vendor Fix
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
5.3 (Medium)
Vendor Fix
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
References
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "jupyter-bqplot-jupyterlab-0.5.46-14.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the jupyter-bqplot-jupyterlab-0.5.46-14.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2026-10424",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2026_10424-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-25547 page",
"url": "https://www.suse.com/security/cve/CVE-2026-25547/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-27601 page",
"url": "https://www.suse.com/security/cve/CVE-2026-27601/"
}
],
"title": "jupyter-bqplot-jupyterlab-0.5.46-14.1 on GA media",
"tracking": {
"current_release_date": "2026-03-25T00:00:00Z",
"generator": {
"date": "2026-03-25T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2026:10424-1",
"initial_release_date": "2026-03-25T00:00:00Z",
"revision_history": [
{
"date": "2026-03-25T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "jupyter-bqplot-jupyterlab-0.5.46-14.1.aarch64",
"product": {
"name": "jupyter-bqplot-jupyterlab-0.5.46-14.1.aarch64",
"product_id": "jupyter-bqplot-jupyterlab-0.5.46-14.1.aarch64"
}
},
{
"category": "product_version",
"name": "jupyter-bqplot-notebook-0.5.46-14.1.aarch64",
"product": {
"name": "jupyter-bqplot-notebook-0.5.46-14.1.aarch64",
"product_id": "jupyter-bqplot-notebook-0.5.46-14.1.aarch64"
}
},
{
"category": "product_version",
"name": "python311-bqplot-0.12.45-14.1.aarch64",
"product": {
"name": "python311-bqplot-0.12.45-14.1.aarch64",
"product_id": "python311-bqplot-0.12.45-14.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "jupyter-bqplot-jupyterlab-0.5.46-14.1.ppc64le",
"product": {
"name": "jupyter-bqplot-jupyterlab-0.5.46-14.1.ppc64le",
"product_id": "jupyter-bqplot-jupyterlab-0.5.46-14.1.ppc64le"
}
},
{
"category": "product_version",
"name": "jupyter-bqplot-notebook-0.5.46-14.1.ppc64le",
"product": {
"name": "jupyter-bqplot-notebook-0.5.46-14.1.ppc64le",
"product_id": "jupyter-bqplot-notebook-0.5.46-14.1.ppc64le"
}
},
{
"category": "product_version",
"name": "python311-bqplot-0.12.45-14.1.ppc64le",
"product": {
"name": "python311-bqplot-0.12.45-14.1.ppc64le",
"product_id": "python311-bqplot-0.12.45-14.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "jupyter-bqplot-jupyterlab-0.5.46-14.1.s390x",
"product": {
"name": "jupyter-bqplot-jupyterlab-0.5.46-14.1.s390x",
"product_id": "jupyter-bqplot-jupyterlab-0.5.46-14.1.s390x"
}
},
{
"category": "product_version",
"name": "jupyter-bqplot-notebook-0.5.46-14.1.s390x",
"product": {
"name": "jupyter-bqplot-notebook-0.5.46-14.1.s390x",
"product_id": "jupyter-bqplot-notebook-0.5.46-14.1.s390x"
}
},
{
"category": "product_version",
"name": "python311-bqplot-0.12.45-14.1.s390x",
"product": {
"name": "python311-bqplot-0.12.45-14.1.s390x",
"product_id": "python311-bqplot-0.12.45-14.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "jupyter-bqplot-jupyterlab-0.5.46-14.1.x86_64",
"product": {
"name": "jupyter-bqplot-jupyterlab-0.5.46-14.1.x86_64",
"product_id": "jupyter-bqplot-jupyterlab-0.5.46-14.1.x86_64"
}
},
{
"category": "product_version",
"name": "jupyter-bqplot-notebook-0.5.46-14.1.x86_64",
"product": {
"name": "jupyter-bqplot-notebook-0.5.46-14.1.x86_64",
"product_id": "jupyter-bqplot-notebook-0.5.46-14.1.x86_64"
}
},
{
"category": "product_version",
"name": "python311-bqplot-0.12.45-14.1.x86_64",
"product": {
"name": "python311-bqplot-0.12.45-14.1.x86_64",
"product_id": "python311-bqplot-0.12.45-14.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "jupyter-bqplot-jupyterlab-0.5.46-14.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:jupyter-bqplot-jupyterlab-0.5.46-14.1.aarch64"
},
"product_reference": "jupyter-bqplot-jupyterlab-0.5.46-14.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jupyter-bqplot-jupyterlab-0.5.46-14.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:jupyter-bqplot-jupyterlab-0.5.46-14.1.ppc64le"
},
"product_reference": "jupyter-bqplot-jupyterlab-0.5.46-14.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jupyter-bqplot-jupyterlab-0.5.46-14.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:jupyter-bqplot-jupyterlab-0.5.46-14.1.s390x"
},
"product_reference": "jupyter-bqplot-jupyterlab-0.5.46-14.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jupyter-bqplot-jupyterlab-0.5.46-14.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:jupyter-bqplot-jupyterlab-0.5.46-14.1.x86_64"
},
"product_reference": "jupyter-bqplot-jupyterlab-0.5.46-14.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jupyter-bqplot-notebook-0.5.46-14.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:jupyter-bqplot-notebook-0.5.46-14.1.aarch64"
},
"product_reference": "jupyter-bqplot-notebook-0.5.46-14.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jupyter-bqplot-notebook-0.5.46-14.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:jupyter-bqplot-notebook-0.5.46-14.1.ppc64le"
},
"product_reference": "jupyter-bqplot-notebook-0.5.46-14.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jupyter-bqplot-notebook-0.5.46-14.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:jupyter-bqplot-notebook-0.5.46-14.1.s390x"
},
"product_reference": "jupyter-bqplot-notebook-0.5.46-14.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jupyter-bqplot-notebook-0.5.46-14.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:jupyter-bqplot-notebook-0.5.46-14.1.x86_64"
},
"product_reference": "jupyter-bqplot-notebook-0.5.46-14.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-bqplot-0.12.45-14.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python311-bqplot-0.12.45-14.1.aarch64"
},
"product_reference": "python311-bqplot-0.12.45-14.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-bqplot-0.12.45-14.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python311-bqplot-0.12.45-14.1.ppc64le"
},
"product_reference": "python311-bqplot-0.12.45-14.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-bqplot-0.12.45-14.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python311-bqplot-0.12.45-14.1.s390x"
},
"product_reference": "python311-bqplot-0.12.45-14.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-bqplot-0.12.45-14.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python311-bqplot-0.12.45-14.1.x86_64"
},
"product_reference": "python311-bqplot-0.12.45-14.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-25547",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-25547"
}
],
"notes": [
{
"category": "general",
"text": "@isaacs/brace-expansion is a hybrid CJS/ESM TypeScript fork of brace-expansion. Prior to version 5.0.1, @isaacs/brace-expansion is vulnerable to a denial of service (DoS) issue caused by unbounded brace range expansion. When an attacker provides a pattern containing repeated numeric brace ranges, the library attempts to eagerly generate every possible combination synchronously. Because the expansion grows exponentially, even a small input can consume excessive CPU and memory and may crash the Node.js process. This issue has been patched in version 5.0.1.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:jupyter-bqplot-jupyterlab-0.5.46-14.1.aarch64",
"openSUSE Tumbleweed:jupyter-bqplot-jupyterlab-0.5.46-14.1.ppc64le",
"openSUSE Tumbleweed:jupyter-bqplot-jupyterlab-0.5.46-14.1.s390x",
"openSUSE Tumbleweed:jupyter-bqplot-jupyterlab-0.5.46-14.1.x86_64",
"openSUSE Tumbleweed:jupyter-bqplot-notebook-0.5.46-14.1.aarch64",
"openSUSE Tumbleweed:jupyter-bqplot-notebook-0.5.46-14.1.ppc64le",
"openSUSE Tumbleweed:jupyter-bqplot-notebook-0.5.46-14.1.s390x",
"openSUSE Tumbleweed:jupyter-bqplot-notebook-0.5.46-14.1.x86_64",
"openSUSE Tumbleweed:python311-bqplot-0.12.45-14.1.aarch64",
"openSUSE Tumbleweed:python311-bqplot-0.12.45-14.1.ppc64le",
"openSUSE Tumbleweed:python311-bqplot-0.12.45-14.1.s390x",
"openSUSE Tumbleweed:python311-bqplot-0.12.45-14.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-25547",
"url": "https://www.suse.com/security/cve/CVE-2026-25547"
},
{
"category": "external",
"summary": "SUSE Bug 1257834 for CVE-2026-25547",
"url": "https://bugzilla.suse.com/1257834"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:jupyter-bqplot-jupyterlab-0.5.46-14.1.aarch64",
"openSUSE Tumbleweed:jupyter-bqplot-jupyterlab-0.5.46-14.1.ppc64le",
"openSUSE Tumbleweed:jupyter-bqplot-jupyterlab-0.5.46-14.1.s390x",
"openSUSE Tumbleweed:jupyter-bqplot-jupyterlab-0.5.46-14.1.x86_64",
"openSUSE Tumbleweed:jupyter-bqplot-notebook-0.5.46-14.1.aarch64",
"openSUSE Tumbleweed:jupyter-bqplot-notebook-0.5.46-14.1.ppc64le",
"openSUSE Tumbleweed:jupyter-bqplot-notebook-0.5.46-14.1.s390x",
"openSUSE Tumbleweed:jupyter-bqplot-notebook-0.5.46-14.1.x86_64",
"openSUSE Tumbleweed:python311-bqplot-0.12.45-14.1.aarch64",
"openSUSE Tumbleweed:python311-bqplot-0.12.45-14.1.ppc64le",
"openSUSE Tumbleweed:python311-bqplot-0.12.45-14.1.s390x",
"openSUSE Tumbleweed:python311-bqplot-0.12.45-14.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:jupyter-bqplot-jupyterlab-0.5.46-14.1.aarch64",
"openSUSE Tumbleweed:jupyter-bqplot-jupyterlab-0.5.46-14.1.ppc64le",
"openSUSE Tumbleweed:jupyter-bqplot-jupyterlab-0.5.46-14.1.s390x",
"openSUSE Tumbleweed:jupyter-bqplot-jupyterlab-0.5.46-14.1.x86_64",
"openSUSE Tumbleweed:jupyter-bqplot-notebook-0.5.46-14.1.aarch64",
"openSUSE Tumbleweed:jupyter-bqplot-notebook-0.5.46-14.1.ppc64le",
"openSUSE Tumbleweed:jupyter-bqplot-notebook-0.5.46-14.1.s390x",
"openSUSE Tumbleweed:jupyter-bqplot-notebook-0.5.46-14.1.x86_64",
"openSUSE Tumbleweed:python311-bqplot-0.12.45-14.1.aarch64",
"openSUSE Tumbleweed:python311-bqplot-0.12.45-14.1.ppc64le",
"openSUSE Tumbleweed:python311-bqplot-0.12.45-14.1.s390x",
"openSUSE Tumbleweed:python311-bqplot-0.12.45-14.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-03-25T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2026-25547"
},
{
"cve": "CVE-2026-27601",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-27601"
}
],
"notes": [
{
"category": "general",
"text": "Underscore.js is a utility-belt library for JavaScript. Prior to 1.13.8, the _.flatten and _.isEqual functions use recursion without a depth limit. Under very specific conditions, detailed below, an attacker could exploit this in a Denial of Service (DoS) attack by triggering a stack overflow. Untrusted input must be used to create a recursive datastructure, for example using JSON.parse, with no enforced depth limit. The datastructure thus created must be passed to _.flatten or _.isEqual. In the case of _.flatten, the vulnerability can only be exploited if it is possible for a remote client to prepare a datastructure that consists of arrays at all levels AND if no finite depth limit is passed as the second argument to _.flatten. In the case of _.isEqual, the vulnerability can only be exploited if there exists a code path in which two distinct datastructures that were submitted by the same remote client are compared using _.isEqual. For example, if a client submits data that are stored in a database, and the same client can later submit another datastructure that is then compared to the data that were saved in the database previously, OR if a client submits a single request, but its data are parsed twice, creating two non-identical but equivalent datastructures that are then compared. Exceptions originating from the call to _.flatten or _.isEqual, as a result of a stack overflow, are not being caught. This vulnerability is fixed in 1.13.8.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:jupyter-bqplot-jupyterlab-0.5.46-14.1.aarch64",
"openSUSE Tumbleweed:jupyter-bqplot-jupyterlab-0.5.46-14.1.ppc64le",
"openSUSE Tumbleweed:jupyter-bqplot-jupyterlab-0.5.46-14.1.s390x",
"openSUSE Tumbleweed:jupyter-bqplot-jupyterlab-0.5.46-14.1.x86_64",
"openSUSE Tumbleweed:jupyter-bqplot-notebook-0.5.46-14.1.aarch64",
"openSUSE Tumbleweed:jupyter-bqplot-notebook-0.5.46-14.1.ppc64le",
"openSUSE Tumbleweed:jupyter-bqplot-notebook-0.5.46-14.1.s390x",
"openSUSE Tumbleweed:jupyter-bqplot-notebook-0.5.46-14.1.x86_64",
"openSUSE Tumbleweed:python311-bqplot-0.12.45-14.1.aarch64",
"openSUSE Tumbleweed:python311-bqplot-0.12.45-14.1.ppc64le",
"openSUSE Tumbleweed:python311-bqplot-0.12.45-14.1.s390x",
"openSUSE Tumbleweed:python311-bqplot-0.12.45-14.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-27601",
"url": "https://www.suse.com/security/cve/CVE-2026-27601"
},
{
"category": "external",
"summary": "SUSE Bug 1259157 for CVE-2026-27601",
"url": "https://bugzilla.suse.com/1259157"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:jupyter-bqplot-jupyterlab-0.5.46-14.1.aarch64",
"openSUSE Tumbleweed:jupyter-bqplot-jupyterlab-0.5.46-14.1.ppc64le",
"openSUSE Tumbleweed:jupyter-bqplot-jupyterlab-0.5.46-14.1.s390x",
"openSUSE Tumbleweed:jupyter-bqplot-jupyterlab-0.5.46-14.1.x86_64",
"openSUSE Tumbleweed:jupyter-bqplot-notebook-0.5.46-14.1.aarch64",
"openSUSE Tumbleweed:jupyter-bqplot-notebook-0.5.46-14.1.ppc64le",
"openSUSE Tumbleweed:jupyter-bqplot-notebook-0.5.46-14.1.s390x",
"openSUSE Tumbleweed:jupyter-bqplot-notebook-0.5.46-14.1.x86_64",
"openSUSE Tumbleweed:python311-bqplot-0.12.45-14.1.aarch64",
"openSUSE Tumbleweed:python311-bqplot-0.12.45-14.1.ppc64le",
"openSUSE Tumbleweed:python311-bqplot-0.12.45-14.1.s390x",
"openSUSE Tumbleweed:python311-bqplot-0.12.45-14.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:jupyter-bqplot-jupyterlab-0.5.46-14.1.aarch64",
"openSUSE Tumbleweed:jupyter-bqplot-jupyterlab-0.5.46-14.1.ppc64le",
"openSUSE Tumbleweed:jupyter-bqplot-jupyterlab-0.5.46-14.1.s390x",
"openSUSE Tumbleweed:jupyter-bqplot-jupyterlab-0.5.46-14.1.x86_64",
"openSUSE Tumbleweed:jupyter-bqplot-notebook-0.5.46-14.1.aarch64",
"openSUSE Tumbleweed:jupyter-bqplot-notebook-0.5.46-14.1.ppc64le",
"openSUSE Tumbleweed:jupyter-bqplot-notebook-0.5.46-14.1.s390x",
"openSUSE Tumbleweed:jupyter-bqplot-notebook-0.5.46-14.1.x86_64",
"openSUSE Tumbleweed:python311-bqplot-0.12.45-14.1.aarch64",
"openSUSE Tumbleweed:python311-bqplot-0.12.45-14.1.ppc64le",
"openSUSE Tumbleweed:python311-bqplot-0.12.45-14.1.s390x",
"openSUSE Tumbleweed:python311-bqplot-0.12.45-14.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-03-25T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2026-27601"
}
]
}
OPENSUSE-SU-2026:10427-1
Vulnerability from csaf_opensuse - Published: 2026-03-25 00:00 - Updated: 2026-03-25 00:00Summary
jupyter-matplotlib-0.11.7-17.1 on GA media
Severity
Moderate
Notes
Title of the patch: jupyter-matplotlib-0.11.7-17.1 on GA media
Description of the patch: These are all security issues fixed in the jupyter-matplotlib-0.11.7-17.1 package on the GA media of openSUSE Tumbleweed.
Patchnames: openSUSE-Tumbleweed-2026-10427
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
5.3 (Medium)
Vendor Fix
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
References
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "jupyter-matplotlib-0.11.7-17.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the jupyter-matplotlib-0.11.7-17.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2026-10427",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2026_10427-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-27601 page",
"url": "https://www.suse.com/security/cve/CVE-2026-27601/"
}
],
"title": "jupyter-matplotlib-0.11.7-17.1 on GA media",
"tracking": {
"current_release_date": "2026-03-25T00:00:00Z",
"generator": {
"date": "2026-03-25T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2026:10427-1",
"initial_release_date": "2026-03-25T00:00:00Z",
"revision_history": [
{
"date": "2026-03-25T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "jupyter-matplotlib-0.11.7-17.1.aarch64",
"product": {
"name": "jupyter-matplotlib-0.11.7-17.1.aarch64",
"product_id": "jupyter-matplotlib-0.11.7-17.1.aarch64"
}
},
{
"category": "product_version",
"name": "jupyter-matplotlib-jupyterlab-0.11.7-17.1.aarch64",
"product": {
"name": "jupyter-matplotlib-jupyterlab-0.11.7-17.1.aarch64",
"product_id": "jupyter-matplotlib-jupyterlab-0.11.7-17.1.aarch64"
}
},
{
"category": "product_version",
"name": "python311-ipympl-0.9.7-17.1.aarch64",
"product": {
"name": "python311-ipympl-0.9.7-17.1.aarch64",
"product_id": "python311-ipympl-0.9.7-17.1.aarch64"
}
},
{
"category": "product_version",
"name": "python313-ipympl-0.9.7-17.1.aarch64",
"product": {
"name": "python313-ipympl-0.9.7-17.1.aarch64",
"product_id": "python313-ipympl-0.9.7-17.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "jupyter-matplotlib-0.11.7-17.1.ppc64le",
"product": {
"name": "jupyter-matplotlib-0.11.7-17.1.ppc64le",
"product_id": "jupyter-matplotlib-0.11.7-17.1.ppc64le"
}
},
{
"category": "product_version",
"name": "jupyter-matplotlib-jupyterlab-0.11.7-17.1.ppc64le",
"product": {
"name": "jupyter-matplotlib-jupyterlab-0.11.7-17.1.ppc64le",
"product_id": "jupyter-matplotlib-jupyterlab-0.11.7-17.1.ppc64le"
}
},
{
"category": "product_version",
"name": "python311-ipympl-0.9.7-17.1.ppc64le",
"product": {
"name": "python311-ipympl-0.9.7-17.1.ppc64le",
"product_id": "python311-ipympl-0.9.7-17.1.ppc64le"
}
},
{
"category": "product_version",
"name": "python313-ipympl-0.9.7-17.1.ppc64le",
"product": {
"name": "python313-ipympl-0.9.7-17.1.ppc64le",
"product_id": "python313-ipympl-0.9.7-17.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "jupyter-matplotlib-0.11.7-17.1.s390x",
"product": {
"name": "jupyter-matplotlib-0.11.7-17.1.s390x",
"product_id": "jupyter-matplotlib-0.11.7-17.1.s390x"
}
},
{
"category": "product_version",
"name": "jupyter-matplotlib-jupyterlab-0.11.7-17.1.s390x",
"product": {
"name": "jupyter-matplotlib-jupyterlab-0.11.7-17.1.s390x",
"product_id": "jupyter-matplotlib-jupyterlab-0.11.7-17.1.s390x"
}
},
{
"category": "product_version",
"name": "python311-ipympl-0.9.7-17.1.s390x",
"product": {
"name": "python311-ipympl-0.9.7-17.1.s390x",
"product_id": "python311-ipympl-0.9.7-17.1.s390x"
}
},
{
"category": "product_version",
"name": "python313-ipympl-0.9.7-17.1.s390x",
"product": {
"name": "python313-ipympl-0.9.7-17.1.s390x",
"product_id": "python313-ipympl-0.9.7-17.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "jupyter-matplotlib-0.11.7-17.1.x86_64",
"product": {
"name": "jupyter-matplotlib-0.11.7-17.1.x86_64",
"product_id": "jupyter-matplotlib-0.11.7-17.1.x86_64"
}
},
{
"category": "product_version",
"name": "jupyter-matplotlib-jupyterlab-0.11.7-17.1.x86_64",
"product": {
"name": "jupyter-matplotlib-jupyterlab-0.11.7-17.1.x86_64",
"product_id": "jupyter-matplotlib-jupyterlab-0.11.7-17.1.x86_64"
}
},
{
"category": "product_version",
"name": "python311-ipympl-0.9.7-17.1.x86_64",
"product": {
"name": "python311-ipympl-0.9.7-17.1.x86_64",
"product_id": "python311-ipympl-0.9.7-17.1.x86_64"
}
},
{
"category": "product_version",
"name": "python313-ipympl-0.9.7-17.1.x86_64",
"product": {
"name": "python313-ipympl-0.9.7-17.1.x86_64",
"product_id": "python313-ipympl-0.9.7-17.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "jupyter-matplotlib-0.11.7-17.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:jupyter-matplotlib-0.11.7-17.1.aarch64"
},
"product_reference": "jupyter-matplotlib-0.11.7-17.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jupyter-matplotlib-0.11.7-17.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:jupyter-matplotlib-0.11.7-17.1.ppc64le"
},
"product_reference": "jupyter-matplotlib-0.11.7-17.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jupyter-matplotlib-0.11.7-17.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:jupyter-matplotlib-0.11.7-17.1.s390x"
},
"product_reference": "jupyter-matplotlib-0.11.7-17.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jupyter-matplotlib-0.11.7-17.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:jupyter-matplotlib-0.11.7-17.1.x86_64"
},
"product_reference": "jupyter-matplotlib-0.11.7-17.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jupyter-matplotlib-jupyterlab-0.11.7-17.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:jupyter-matplotlib-jupyterlab-0.11.7-17.1.aarch64"
},
"product_reference": "jupyter-matplotlib-jupyterlab-0.11.7-17.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jupyter-matplotlib-jupyterlab-0.11.7-17.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:jupyter-matplotlib-jupyterlab-0.11.7-17.1.ppc64le"
},
"product_reference": "jupyter-matplotlib-jupyterlab-0.11.7-17.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jupyter-matplotlib-jupyterlab-0.11.7-17.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:jupyter-matplotlib-jupyterlab-0.11.7-17.1.s390x"
},
"product_reference": "jupyter-matplotlib-jupyterlab-0.11.7-17.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jupyter-matplotlib-jupyterlab-0.11.7-17.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:jupyter-matplotlib-jupyterlab-0.11.7-17.1.x86_64"
},
"product_reference": "jupyter-matplotlib-jupyterlab-0.11.7-17.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-ipympl-0.9.7-17.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python311-ipympl-0.9.7-17.1.aarch64"
},
"product_reference": "python311-ipympl-0.9.7-17.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-ipympl-0.9.7-17.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python311-ipympl-0.9.7-17.1.ppc64le"
},
"product_reference": "python311-ipympl-0.9.7-17.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-ipympl-0.9.7-17.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python311-ipympl-0.9.7-17.1.s390x"
},
"product_reference": "python311-ipympl-0.9.7-17.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-ipympl-0.9.7-17.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python311-ipympl-0.9.7-17.1.x86_64"
},
"product_reference": "python311-ipympl-0.9.7-17.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-ipympl-0.9.7-17.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python313-ipympl-0.9.7-17.1.aarch64"
},
"product_reference": "python313-ipympl-0.9.7-17.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-ipympl-0.9.7-17.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python313-ipympl-0.9.7-17.1.ppc64le"
},
"product_reference": "python313-ipympl-0.9.7-17.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-ipympl-0.9.7-17.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python313-ipympl-0.9.7-17.1.s390x"
},
"product_reference": "python313-ipympl-0.9.7-17.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-ipympl-0.9.7-17.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python313-ipympl-0.9.7-17.1.x86_64"
},
"product_reference": "python313-ipympl-0.9.7-17.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-27601",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-27601"
}
],
"notes": [
{
"category": "general",
"text": "Underscore.js is a utility-belt library for JavaScript. Prior to 1.13.8, the _.flatten and _.isEqual functions use recursion without a depth limit. Under very specific conditions, detailed below, an attacker could exploit this in a Denial of Service (DoS) attack by triggering a stack overflow. Untrusted input must be used to create a recursive datastructure, for example using JSON.parse, with no enforced depth limit. The datastructure thus created must be passed to _.flatten or _.isEqual. In the case of _.flatten, the vulnerability can only be exploited if it is possible for a remote client to prepare a datastructure that consists of arrays at all levels AND if no finite depth limit is passed as the second argument to _.flatten. In the case of _.isEqual, the vulnerability can only be exploited if there exists a code path in which two distinct datastructures that were submitted by the same remote client are compared using _.isEqual. For example, if a client submits data that are stored in a database, and the same client can later submit another datastructure that is then compared to the data that were saved in the database previously, OR if a client submits a single request, but its data are parsed twice, creating two non-identical but equivalent datastructures that are then compared. Exceptions originating from the call to _.flatten or _.isEqual, as a result of a stack overflow, are not being caught. This vulnerability is fixed in 1.13.8.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:jupyter-matplotlib-0.11.7-17.1.aarch64",
"openSUSE Tumbleweed:jupyter-matplotlib-0.11.7-17.1.ppc64le",
"openSUSE Tumbleweed:jupyter-matplotlib-0.11.7-17.1.s390x",
"openSUSE Tumbleweed:jupyter-matplotlib-0.11.7-17.1.x86_64",
"openSUSE Tumbleweed:jupyter-matplotlib-jupyterlab-0.11.7-17.1.aarch64",
"openSUSE Tumbleweed:jupyter-matplotlib-jupyterlab-0.11.7-17.1.ppc64le",
"openSUSE Tumbleweed:jupyter-matplotlib-jupyterlab-0.11.7-17.1.s390x",
"openSUSE Tumbleweed:jupyter-matplotlib-jupyterlab-0.11.7-17.1.x86_64",
"openSUSE Tumbleweed:python311-ipympl-0.9.7-17.1.aarch64",
"openSUSE Tumbleweed:python311-ipympl-0.9.7-17.1.ppc64le",
"openSUSE Tumbleweed:python311-ipympl-0.9.7-17.1.s390x",
"openSUSE Tumbleweed:python311-ipympl-0.9.7-17.1.x86_64",
"openSUSE Tumbleweed:python313-ipympl-0.9.7-17.1.aarch64",
"openSUSE Tumbleweed:python313-ipympl-0.9.7-17.1.ppc64le",
"openSUSE Tumbleweed:python313-ipympl-0.9.7-17.1.s390x",
"openSUSE Tumbleweed:python313-ipympl-0.9.7-17.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-27601",
"url": "https://www.suse.com/security/cve/CVE-2026-27601"
},
{
"category": "external",
"summary": "SUSE Bug 1259157 for CVE-2026-27601",
"url": "https://bugzilla.suse.com/1259157"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:jupyter-matplotlib-0.11.7-17.1.aarch64",
"openSUSE Tumbleweed:jupyter-matplotlib-0.11.7-17.1.ppc64le",
"openSUSE Tumbleweed:jupyter-matplotlib-0.11.7-17.1.s390x",
"openSUSE Tumbleweed:jupyter-matplotlib-0.11.7-17.1.x86_64",
"openSUSE Tumbleweed:jupyter-matplotlib-jupyterlab-0.11.7-17.1.aarch64",
"openSUSE Tumbleweed:jupyter-matplotlib-jupyterlab-0.11.7-17.1.ppc64le",
"openSUSE Tumbleweed:jupyter-matplotlib-jupyterlab-0.11.7-17.1.s390x",
"openSUSE Tumbleweed:jupyter-matplotlib-jupyterlab-0.11.7-17.1.x86_64",
"openSUSE Tumbleweed:python311-ipympl-0.9.7-17.1.aarch64",
"openSUSE Tumbleweed:python311-ipympl-0.9.7-17.1.ppc64le",
"openSUSE Tumbleweed:python311-ipympl-0.9.7-17.1.s390x",
"openSUSE Tumbleweed:python311-ipympl-0.9.7-17.1.x86_64",
"openSUSE Tumbleweed:python313-ipympl-0.9.7-17.1.aarch64",
"openSUSE Tumbleweed:python313-ipympl-0.9.7-17.1.ppc64le",
"openSUSE Tumbleweed:python313-ipympl-0.9.7-17.1.s390x",
"openSUSE Tumbleweed:python313-ipympl-0.9.7-17.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:jupyter-matplotlib-0.11.7-17.1.aarch64",
"openSUSE Tumbleweed:jupyter-matplotlib-0.11.7-17.1.ppc64le",
"openSUSE Tumbleweed:jupyter-matplotlib-0.11.7-17.1.s390x",
"openSUSE Tumbleweed:jupyter-matplotlib-0.11.7-17.1.x86_64",
"openSUSE Tumbleweed:jupyter-matplotlib-jupyterlab-0.11.7-17.1.aarch64",
"openSUSE Tumbleweed:jupyter-matplotlib-jupyterlab-0.11.7-17.1.ppc64le",
"openSUSE Tumbleweed:jupyter-matplotlib-jupyterlab-0.11.7-17.1.s390x",
"openSUSE Tumbleweed:jupyter-matplotlib-jupyterlab-0.11.7-17.1.x86_64",
"openSUSE Tumbleweed:python311-ipympl-0.9.7-17.1.aarch64",
"openSUSE Tumbleweed:python311-ipympl-0.9.7-17.1.ppc64le",
"openSUSE Tumbleweed:python311-ipympl-0.9.7-17.1.s390x",
"openSUSE Tumbleweed:python311-ipympl-0.9.7-17.1.x86_64",
"openSUSE Tumbleweed:python313-ipympl-0.9.7-17.1.aarch64",
"openSUSE Tumbleweed:python313-ipympl-0.9.7-17.1.ppc64le",
"openSUSE Tumbleweed:python313-ipympl-0.9.7-17.1.s390x",
"openSUSE Tumbleweed:python313-ipympl-0.9.7-17.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-03-25T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2026-27601"
}
]
}
cleanstart-2026-dv49099
Vulnerability from cleanstart
Published
2026-04-01 09:31
Modified
2026-03-23 10:49
Summary
Security fixes for CVE-2025-64756, CVE-2025-69873, CVE-2026-1525, CVE-2026-1526, CVE-2026-1527, CVE-2026-1528, CVE-2026-2229, CVE-2026-2327, CVE-2026-23745, CVE-2026-2391, CVE-2026-24842, CVE-2026-25128, CVE-2026-25547, CVE-2026-2581, CVE-2026-25896, CVE-2026-26278, CVE-2026-26960, CVE-2026-27601, CVE-2026-27903, CVE-2026-27904, CVE-2026-27942, CVE-2026-28292, CVE-2026-29786, CVE-2026-31802, CVE-2026-32141, CVE-2026-33036, ghsa-23c5-xmqv-rm74, ghsa-25h7-pfq9-p65f, ghsa-2g4f-4pwh-qvx6, ghsa-2mjp-6q6p-2qxm, ghsa-34x7-hfp2-rc4v, ghsa-37qj-frw5-hhjh, ghsa-38c4-r59v-3vqw, ghsa-3ppc-4f35-3m26, ghsa-4992-7rv2-5pvq, ghsa-5j98-mcp5-4vw2, ghsa-73rr-hh4g-fpgx, ghsa-7h2j-956f-4vf2, ghsa-7r86-cg39-jmmj, ghsa-83g3-92jg-28cx, ghsa-8gc5-j5rx-235r, ghsa-8qq5-rm4j-mr97, ghsa-8wc6-vgrq-x6cf, ghsa-9ppj-qmqm-q256, ghsa-f269-vfmq-vjvj, ghsa-fj3w-jwp8-x2g3, ghsa-jmr7-xgp7-cmfj, ghsa-m7jm-9gc2-mpf2, ghsa-phc3-fgpg-7m6h, ghsa-qffp-2rhf-9h96, ghsa-qpx9-hpmf-5gmw, ghsa-r275-fr43-pm7q, ghsa-r6q2-hw4h-h46w, ghsa-v9p9-hfj2-hcw8, ghsa-vrm6-8vpv-qv8q, ghsa-w7fw-mjwx-w883 applied in versions: 43.4.4-r0
Details
Multiple security vulnerabilities affect the renovate package. These issues are resolved in later releases. See references for individual vulnerability details.
References
| URL | Type | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
{
"affected": [
{
"package": {
"ecosystem": "CleanStart",
"name": "renovate"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "43.4.4-r0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"credits": [],
"database_specific": {},
"details": "Multiple security vulnerabilities affect the renovate package. These issues are resolved in later releases. See references for individual vulnerability details.",
"id": "CLEANSTART-2026-DV49099",
"modified": "2026-03-23T10:49:42Z",
"published": "2026-04-01T09:31:16.419730Z",
"references": [
{
"type": "ADVISORY",
"url": "https://github.com/cleanstart-dev/cleanstart-security-advisories/tree/main/advisories/2026/CLEANSTART-2026-DV49099.json"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-64756"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-69873"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-1525"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-1526"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-1527"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-1528"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-2229"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-2327"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-23745"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-2391"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-24842"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-25128"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-25547"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-2581"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-25896"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-26278"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-26960"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-27601"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-27903"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-27904"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-27942"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-28292"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-29786"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-31802"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-32141"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-33036"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-23c5-xmqv-rm74"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-25h7-pfq9-p65f"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-2g4f-4pwh-qvx6"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-2mjp-6q6p-2qxm"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-34x7-hfp2-rc4v"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-37qj-frw5-hhjh"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-38c4-r59v-3vqw"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-3ppc-4f35-3m26"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-4992-7rv2-5pvq"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-5j98-mcp5-4vw2"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-73rr-hh4g-fpgx"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-7h2j-956f-4vf2"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-7r86-cg39-jmmj"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-83g3-92jg-28cx"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-8gc5-j5rx-235r"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-8qq5-rm4j-mr97"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-8wc6-vgrq-x6cf"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-9ppj-qmqm-q256"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-f269-vfmq-vjvj"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-fj3w-jwp8-x2g3"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-jmr7-xgp7-cmfj"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-m7jm-9gc2-mpf2"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-phc3-fgpg-7m6h"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-qffp-2rhf-9h96"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-qpx9-hpmf-5gmw"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-r275-fr43-pm7q"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-r6q2-hw4h-h46w"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-v9p9-hfj2-hcw8"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-vrm6-8vpv-qv8q"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-w7fw-mjwx-w883"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64756"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69873"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1525"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1526"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1527"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1528"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2229"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2327"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23745"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2391"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24842"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25128"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25547"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2581"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25896"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26278"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26960"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27601"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27903"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27904"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27942"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28292"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29786"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31802"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32141"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33036"
}
],
"related": [],
"schema_version": "1.7.3",
"summary": "Security fixes for CVE-2025-64756, CVE-2025-69873, CVE-2026-1525, CVE-2026-1526, CVE-2026-1527, CVE-2026-1528, CVE-2026-2229, CVE-2026-2327, CVE-2026-23745, CVE-2026-2391, CVE-2026-24842, CVE-2026-25128, CVE-2026-25547, CVE-2026-2581, CVE-2026-25896, CVE-2026-26278, CVE-2026-26960, CVE-2026-27601, CVE-2026-27903, CVE-2026-27904, CVE-2026-27942, CVE-2026-28292, CVE-2026-29786, CVE-2026-31802, CVE-2026-32141, CVE-2026-33036, ghsa-23c5-xmqv-rm74, ghsa-25h7-pfq9-p65f, ghsa-2g4f-4pwh-qvx6, ghsa-2mjp-6q6p-2qxm, ghsa-34x7-hfp2-rc4v, ghsa-37qj-frw5-hhjh, ghsa-38c4-r59v-3vqw, ghsa-3ppc-4f35-3m26, ghsa-4992-7rv2-5pvq, ghsa-5j98-mcp5-4vw2, ghsa-73rr-hh4g-fpgx, ghsa-7h2j-956f-4vf2, ghsa-7r86-cg39-jmmj, ghsa-83g3-92jg-28cx, ghsa-8gc5-j5rx-235r, ghsa-8qq5-rm4j-mr97, ghsa-8wc6-vgrq-x6cf, ghsa-9ppj-qmqm-q256, ghsa-f269-vfmq-vjvj, ghsa-fj3w-jwp8-x2g3, ghsa-jmr7-xgp7-cmfj, ghsa-m7jm-9gc2-mpf2, ghsa-phc3-fgpg-7m6h, ghsa-qffp-2rhf-9h96, ghsa-qpx9-hpmf-5gmw, ghsa-r275-fr43-pm7q, ghsa-r6q2-hw4h-h46w, ghsa-v9p9-hfj2-hcw8, ghsa-vrm6-8vpv-qv8q, ghsa-w7fw-mjwx-w883 applied in versions: 43.4.4-r0",
"upstream": [
"CVE-2025-64756",
"CVE-2025-69873",
"CVE-2026-1525",
"CVE-2026-1526",
"CVE-2026-1527",
"CVE-2026-1528",
"CVE-2026-2229",
"CVE-2026-2327",
"CVE-2026-23745",
"CVE-2026-2391",
"CVE-2026-24842",
"CVE-2026-25128",
"CVE-2026-25547",
"CVE-2026-2581",
"CVE-2026-25896",
"CVE-2026-26278",
"CVE-2026-26960",
"CVE-2026-27601",
"CVE-2026-27903",
"CVE-2026-27904",
"CVE-2026-27942",
"CVE-2026-28292",
"CVE-2026-29786",
"CVE-2026-31802",
"CVE-2026-32141",
"CVE-2026-33036",
"ghsa-23c5-xmqv-rm74",
"ghsa-25h7-pfq9-p65f",
"ghsa-2g4f-4pwh-qvx6",
"ghsa-2mjp-6q6p-2qxm",
"ghsa-34x7-hfp2-rc4v",
"ghsa-37qj-frw5-hhjh",
"ghsa-38c4-r59v-3vqw",
"ghsa-3ppc-4f35-3m26",
"ghsa-4992-7rv2-5pvq",
"ghsa-5j98-mcp5-4vw2",
"ghsa-73rr-hh4g-fpgx",
"ghsa-7h2j-956f-4vf2",
"ghsa-7r86-cg39-jmmj",
"ghsa-83g3-92jg-28cx",
"ghsa-8gc5-j5rx-235r",
"ghsa-8qq5-rm4j-mr97",
"ghsa-8wc6-vgrq-x6cf",
"ghsa-9ppj-qmqm-q256",
"ghsa-f269-vfmq-vjvj",
"ghsa-fj3w-jwp8-x2g3",
"ghsa-jmr7-xgp7-cmfj",
"ghsa-m7jm-9gc2-mpf2",
"ghsa-phc3-fgpg-7m6h",
"ghsa-qffp-2rhf-9h96",
"ghsa-qpx9-hpmf-5gmw",
"ghsa-r275-fr43-pm7q",
"ghsa-r6q2-hw4h-h46w",
"ghsa-v9p9-hfj2-hcw8",
"ghsa-vrm6-8vpv-qv8q",
"ghsa-w7fw-mjwx-w883"
]
}
cleanstart-2026-gs57401
Vulnerability from cleanstart
Published
2026-04-01 09:43
Modified
2026-03-19 07:48
Summary
Security fixes for CVE-2025-69873, CVE-2026-1525, CVE-2026-1526, CVE-2026-1527, CVE-2026-1528, CVE-2026-2229, CVE-2026-2327, CVE-2026-2391, CVE-2026-25128, CVE-2026-25547, CVE-2026-2581, CVE-2026-25896, CVE-2026-26278, CVE-2026-26960, CVE-2026-27601, CVE-2026-27903, CVE-2026-27904, CVE-2026-27942, CVE-2026-28292, CVE-2026-29786, CVE-2026-31802, CVE-2026-32141, CVE-2026-33036, ghsa-23c5-xmqv-rm74, ghsa-25h7-pfq9-p65f, ghsa-2g4f-4pwh-qvx6, ghsa-2mjp-6q6p-2qxm, ghsa-37qj-frw5-hhjh, ghsa-38c4-r59v-3vqw, ghsa-3ppc-4f35-3m26, ghsa-4992-7rv2-5pvq, ghsa-7h2j-956f-4vf2, ghsa-7r86-cg39-jmmj, ghsa-83g3-92jg-28cx, ghsa-8gc5-j5rx-235r, ghsa-8wc6-vgrq-x6cf, ghsa-9ppj-qmqm-q256, ghsa-f269-vfmq-vjvj, ghsa-fj3w-jwp8-x2g3, ghsa-jmr7-xgp7-cmfj, ghsa-m7jm-9gc2-mpf2, ghsa-phc3-fgpg-7m6h, ghsa-qffp-2rhf-9h96, ghsa-qpx9-hpmf-5gmw, ghsa-r275-fr43-pm7q, ghsa-v9p9-hfj2-hcw8, ghsa-vrm6-8vpv-qv8q, ghsa-w7fw-mjwx-w883 applied in versions: 43.4.3-r1
Details
Multiple security vulnerabilities affect the renovate package. These issues are resolved in later releases. See references for individual vulnerability details.
References
| URL | Type | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
{
"affected": [
{
"package": {
"ecosystem": "CleanStart",
"name": "renovate"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "43.4.3-r1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"credits": [],
"database_specific": {},
"details": "Multiple security vulnerabilities affect the renovate package. These issues are resolved in later releases. See references for individual vulnerability details.",
"id": "CLEANSTART-2026-GS57401",
"modified": "2026-03-19T07:48:38Z",
"published": "2026-04-01T09:43:24.793409Z",
"references": [
{
"type": "ADVISORY",
"url": "https://github.com/cleanstart-dev/cleanstart-security-advisories/tree/main/advisories/2026/CLEANSTART-2026-GS57401.json"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-69873"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-1525"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-1526"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-1527"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-1528"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-2229"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-2327"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-2391"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-25128"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-25547"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-2581"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-25896"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-26278"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-26960"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-27601"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-27903"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-27904"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-27942"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-28292"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-29786"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-31802"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-32141"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-33036"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-23c5-xmqv-rm74"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-25h7-pfq9-p65f"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-2g4f-4pwh-qvx6"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-2mjp-6q6p-2qxm"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-37qj-frw5-hhjh"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-38c4-r59v-3vqw"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-3ppc-4f35-3m26"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-4992-7rv2-5pvq"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-7h2j-956f-4vf2"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-7r86-cg39-jmmj"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-83g3-92jg-28cx"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-8gc5-j5rx-235r"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-8wc6-vgrq-x6cf"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-9ppj-qmqm-q256"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-f269-vfmq-vjvj"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-fj3w-jwp8-x2g3"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-jmr7-xgp7-cmfj"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-m7jm-9gc2-mpf2"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-phc3-fgpg-7m6h"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-qffp-2rhf-9h96"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-qpx9-hpmf-5gmw"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-r275-fr43-pm7q"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-v9p9-hfj2-hcw8"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-vrm6-8vpv-qv8q"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-w7fw-mjwx-w883"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69873"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1525"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1526"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1527"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1528"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2229"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2327"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2391"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25128"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25547"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2581"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25896"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26278"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26960"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27601"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27903"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27904"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27942"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28292"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29786"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31802"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32141"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33036"
}
],
"related": [],
"schema_version": "1.7.3",
"summary": "Security fixes for CVE-2025-69873, CVE-2026-1525, CVE-2026-1526, CVE-2026-1527, CVE-2026-1528, CVE-2026-2229, CVE-2026-2327, CVE-2026-2391, CVE-2026-25128, CVE-2026-25547, CVE-2026-2581, CVE-2026-25896, CVE-2026-26278, CVE-2026-26960, CVE-2026-27601, CVE-2026-27903, CVE-2026-27904, CVE-2026-27942, CVE-2026-28292, CVE-2026-29786, CVE-2026-31802, CVE-2026-32141, CVE-2026-33036, ghsa-23c5-xmqv-rm74, ghsa-25h7-pfq9-p65f, ghsa-2g4f-4pwh-qvx6, ghsa-2mjp-6q6p-2qxm, ghsa-37qj-frw5-hhjh, ghsa-38c4-r59v-3vqw, ghsa-3ppc-4f35-3m26, ghsa-4992-7rv2-5pvq, ghsa-7h2j-956f-4vf2, ghsa-7r86-cg39-jmmj, ghsa-83g3-92jg-28cx, ghsa-8gc5-j5rx-235r, ghsa-8wc6-vgrq-x6cf, ghsa-9ppj-qmqm-q256, ghsa-f269-vfmq-vjvj, ghsa-fj3w-jwp8-x2g3, ghsa-jmr7-xgp7-cmfj, ghsa-m7jm-9gc2-mpf2, ghsa-phc3-fgpg-7m6h, ghsa-qffp-2rhf-9h96, ghsa-qpx9-hpmf-5gmw, ghsa-r275-fr43-pm7q, ghsa-v9p9-hfj2-hcw8, ghsa-vrm6-8vpv-qv8q, ghsa-w7fw-mjwx-w883 applied in versions: 43.4.3-r1",
"upstream": [
"CVE-2025-69873",
"CVE-2026-1525",
"CVE-2026-1526",
"CVE-2026-1527",
"CVE-2026-1528",
"CVE-2026-2229",
"CVE-2026-2327",
"CVE-2026-2391",
"CVE-2026-25128",
"CVE-2026-25547",
"CVE-2026-2581",
"CVE-2026-25896",
"CVE-2026-26278",
"CVE-2026-26960",
"CVE-2026-27601",
"CVE-2026-27903",
"CVE-2026-27904",
"CVE-2026-27942",
"CVE-2026-28292",
"CVE-2026-29786",
"CVE-2026-31802",
"CVE-2026-32141",
"CVE-2026-33036",
"ghsa-23c5-xmqv-rm74",
"ghsa-25h7-pfq9-p65f",
"ghsa-2g4f-4pwh-qvx6",
"ghsa-2mjp-6q6p-2qxm",
"ghsa-37qj-frw5-hhjh",
"ghsa-38c4-r59v-3vqw",
"ghsa-3ppc-4f35-3m26",
"ghsa-4992-7rv2-5pvq",
"ghsa-7h2j-956f-4vf2",
"ghsa-7r86-cg39-jmmj",
"ghsa-83g3-92jg-28cx",
"ghsa-8gc5-j5rx-235r",
"ghsa-8wc6-vgrq-x6cf",
"ghsa-9ppj-qmqm-q256",
"ghsa-f269-vfmq-vjvj",
"ghsa-fj3w-jwp8-x2g3",
"ghsa-jmr7-xgp7-cmfj",
"ghsa-m7jm-9gc2-mpf2",
"ghsa-phc3-fgpg-7m6h",
"ghsa-qffp-2rhf-9h96",
"ghsa-qpx9-hpmf-5gmw",
"ghsa-r275-fr43-pm7q",
"ghsa-v9p9-hfj2-hcw8",
"ghsa-vrm6-8vpv-qv8q",
"ghsa-w7fw-mjwx-w883"
]
}
MSRC_CVE-2026-27601
Vulnerability from csaf_microsoft - Published: 2026-03-02 00:00 - Updated: 2026-03-17 14:38Summary
Underscore.js has unlimited recursion in _.flatten and _.isEqual, potential for DoS attack
Notes
Additional Resources: To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle
Disclaimer: The information provided in the Microsoft Knowledge Base is provided \"as is\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
CWE-770
- Allocation of Resources Without Limits or Throttling
References
| URL | Category | |
|---|---|---|
{
"document": {
"category": "csaf_vex",
"csaf_version": "2.0",
"distribution": {
"text": "Public",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en-US",
"notes": [
{
"category": "general",
"text": "To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle",
"title": "Additional Resources"
},
{
"category": "legal_disclaimer",
"text": "The information provided in the Microsoft Knowledge Base is provided \\\"as is\\\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.",
"title": "Disclaimer"
}
],
"publisher": {
"category": "vendor",
"contact_details": "secure@microsoft.com",
"name": "Microsoft Security Response Center",
"namespace": "https://msrc.microsoft.com"
},
"references": [
{
"category": "self",
"summary": "CVE-2026-27601 Underscore.js has unlimited recursion in _.flatten and _.isEqual, potential for DoS attack - VEX",
"url": "https://msrc.microsoft.com/csaf/vex/2026/msrc_cve-2026-27601.json"
},
{
"category": "external",
"summary": "Microsoft Support Lifecycle",
"url": "https://support.microsoft.com/lifecycle"
},
{
"category": "external",
"summary": "Common Vulnerability Scoring System",
"url": "https://www.first.org/cvss"
}
],
"title": "Underscore.js has unlimited recursion in _.flatten and _.isEqual, potential for DoS attack",
"tracking": {
"current_release_date": "2026-03-17T14:38:08.000Z",
"generator": {
"date": "2026-03-18T07:02:55.512Z",
"engine": {
"name": "MSRC Generator",
"version": "1.0"
}
},
"id": "msrc_CVE-2026-27601",
"initial_release_date": "2026-03-02T00:00:00.000Z",
"revision_history": [
{
"date": "2026-03-07T01:04:18.000Z",
"legacy_version": "1",
"number": "1",
"summary": "Information published."
},
{
"date": "2026-03-17T14:38:08.000Z",
"legacy_version": "2",
"number": "2",
"summary": "Information published."
}
],
"status": "final",
"version": "2"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "3.0",
"product": {
"name": "Azure Linux 3.0",
"product_id": "17084"
}
},
{
"category": "product_version",
"name": "2.0",
"product": {
"name": "CBL Mariner 2.0",
"product_id": "17086"
}
}
],
"category": "product_name",
"name": "Azure Linux"
},
{
"category": "product_name",
"name": "azl3 boost 1.83.0-2",
"product": {
"name": "azl3 boost 1.83.0-2",
"product_id": "10"
}
},
{
"category": "product_name",
"name": "cbl2 cyrus-sasl 2.1.28-4",
"product": {
"name": "cbl2 cyrus-sasl 2.1.28-4",
"product_id": "8"
}
},
{
"category": "product_name",
"name": "cbl2 cyrus-sasl-bootstrap 2.1.28-4",
"product": {
"name": "cbl2 cyrus-sasl-bootstrap 2.1.28-4",
"product_id": "7"
}
},
{
"category": "product_name",
"name": "azl3 cyrus-sasl 2.1.28-8",
"product": {
"name": "azl3 cyrus-sasl 2.1.28-8",
"product_id": "6"
}
},
{
"category": "product_name",
"name": "azl3 cyrus-sasl-bootstrap 2.1.28-8",
"product": {
"name": "azl3 cyrus-sasl-bootstrap 2.1.28-8",
"product_id": "5"
}
},
{
"category": "product_name",
"name": "azl3 krb5 1.21.3-3",
"product": {
"name": "azl3 krb5 1.21.3-3",
"product_id": "9"
}
},
{
"category": "product_name",
"name": "cbl2 python-sphinx 4.4.0-3",
"product": {
"name": "cbl2 python-sphinx 4.4.0-3",
"product_id": "4"
}
},
{
"category": "product_name",
"name": "cbl2 python-sqlalchemy 1.4.32-2",
"product": {
"name": "cbl2 python-sqlalchemy 1.4.32-2",
"product_id": "3"
}
},
{
"category": "product_name",
"name": "azl3 numpy 1.26.3-4",
"product": {
"name": "azl3 numpy 1.26.3-4",
"product_id": "11"
}
},
{
"category": "product_name",
"name": "cbl2 rsyslog 8.2204.1-4",
"product": {
"name": "cbl2 rsyslog 8.2204.1-4",
"product_id": "2"
}
},
{
"category": "product_name",
"name": "azl3 rsyslog 8.2308.0-5",
"product": {
"name": "azl3 rsyslog 8.2308.0-5",
"product_id": "1"
}
}
],
"category": "vendor",
"name": "Microsoft"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "azl3 boost 1.83.0-2 as a component of Azure Linux 3.0",
"product_id": "17084-10"
},
"product_reference": "10",
"relates_to_product_reference": "17084"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cbl2 cyrus-sasl 2.1.28-4 as a component of CBL Mariner 2.0",
"product_id": "17086-8"
},
"product_reference": "8",
"relates_to_product_reference": "17086"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cbl2 cyrus-sasl-bootstrap 2.1.28-4 as a component of CBL Mariner 2.0",
"product_id": "17086-7"
},
"product_reference": "7",
"relates_to_product_reference": "17086"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "azl3 cyrus-sasl 2.1.28-8 as a component of Azure Linux 3.0",
"product_id": "17084-6"
},
"product_reference": "6",
"relates_to_product_reference": "17084"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "azl3 cyrus-sasl-bootstrap 2.1.28-8 as a component of Azure Linux 3.0",
"product_id": "17084-5"
},
"product_reference": "5",
"relates_to_product_reference": "17084"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "azl3 krb5 1.21.3-3 as a component of Azure Linux 3.0",
"product_id": "17084-9"
},
"product_reference": "9",
"relates_to_product_reference": "17084"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cbl2 python-sphinx 4.4.0-3 as a component of CBL Mariner 2.0",
"product_id": "17086-4"
},
"product_reference": "4",
"relates_to_product_reference": "17086"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cbl2 python-sqlalchemy 1.4.32-2 as a component of CBL Mariner 2.0",
"product_id": "17086-3"
},
"product_reference": "3",
"relates_to_product_reference": "17086"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "azl3 numpy 1.26.3-4 as a component of Azure Linux 3.0",
"product_id": "17084-11"
},
"product_reference": "11",
"relates_to_product_reference": "17084"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cbl2 rsyslog 8.2204.1-4 as a component of CBL Mariner 2.0",
"product_id": "17086-2"
},
"product_reference": "2",
"relates_to_product_reference": "17086"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "azl3 rsyslog 8.2308.0-5 as a component of Azure Linux 3.0",
"product_id": "17084-1"
},
"product_reference": "1",
"relates_to_product_reference": "17084"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-27601",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"flags": [
{
"label": "component_not_present",
"product_ids": [
"17084-10",
"17086-8",
"17086-7",
"17084-6",
"17084-5",
"17084-9",
"17086-4",
"17086-3",
"17084-11",
"17086-2",
"17084-1"
]
}
],
"notes": [
{
"category": "general",
"text": "GitHub_M",
"title": "Assigning CNA"
}
],
"product_status": {
"known_not_affected": [
"17084-10",
"17086-8",
"17086-7",
"17084-6",
"17084-5",
"17084-9",
"17086-4",
"17086-3",
"17084-11",
"17086-2",
"17084-1"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2026-27601 Underscore.js has unlimited recursion in _.flatten and _.isEqual, potential for DoS attack - VEX",
"url": "https://msrc.microsoft.com/csaf/vex/2026/msrc_cve-2026-27601.json"
}
],
"title": "Underscore.js has unlimited recursion in _.flatten and _.isEqual, potential for DoS attack"
}
]
}
GHSA-QPX9-HPMF-5GMW
Vulnerability from github – Published: 2026-03-03 17:46 – Updated: 2026-03-04 02:00
VLAI?
Summary
Underscore has unlimited recursion in _.flatten and _.isEqual, potential for DoS attack
Details
Impact
In simple words, some programs that use _.flatten or _.isEqual could be made to crash. Someone who wants to do harm may be able to do this on purpose. This can only be done if the program has special properties. It only works in Underscore versions up to 1.13.7. A more detailed explanation follows.
In affected versions of Underscore, the _.flatten and _.isEqual functions use recursion without a depth limit. Under very specific conditions, detailed below, an attacker could exploit this in a Denial of Service (DoS) attack by triggering a stack overflow.
A proof of concept (PoC) for this type of attack with _.isEqual:
const _ = require('underscore');
// build JSON string for nested object ~4500 levels deep
// (for this to be an attack, the JSON would have to come from
// a request or other untrusted input)
let json = '';
for (let i = 0; i < 4500; i++) json += '{"n":';
json += '"x"';
for (let i = 0; i < 4500; i++) json += '}';
// construct two distinct objects with equal shape from the above JSON
const a = JSON.parse(json);
const b = JSON.parse(json);
_.isEqual(a, b); // RangeError: Maximum call stack size exceeded
A proof of concept (PoC) for this type of attack with _.flatten:
const _ = require('underscore');
// build nested array ~4500 levels deep
// (like with _.isEqual, this nested array would have to be sourced
// from an untrusted external source for it to be an attack)
let nested = [];
for (let i = 0; i < 4500; i++) nested = [nested];
_.flatten(nested); // RangeError: Maximum call stack size exceeded
An application that crashes because of this can be restarted, so the bug is most relevant to applications for which continued operation is important, such as server applications. Furthermore, an application is only vulnerable to this type of attack if ALL of the following conditions are met:
- Untrusted input must be used to create a recursive datastructure, for example using
JSON.parse, with no enforced depth limit. - The datastructure thus created must be passed to
_.flattenor_.isEqual. - In the case of
_.flatten, the vulnerability can only be exploited if it is possible for a remote client to prepare a datastructure that consists of arrays at all levels AND if no finite depth limit is passed as the second argument to_.flatten. - In the case of
_.isEqual, the vulnerability can only be exploited if there exists a code path in which two distinct datastructures that were submitted by the same remote client are compared using_.isEqual. For example, if a client submits data that are stored in a database, and the same client can later submit another datastructure that is then compared to the data that were saved in the database previously, OR if a client submits a single request, but its data are parsed twice, creating two non-identical but equivalent datastructures that are then compared. - Exceptions originating from the call to
_.flattenor_.isEqual, as a result of a stack overflow, are not being caught.
All versions of Underscore up to and including 1.13.7 are affected by this weakness.
Patches
The problem has been patched in version 1.13.8. Upgrading to 1.13.8 or later completely prevents exploitation.
Note: historically, there have been breaking changes in minor releases of Underscore, especially between versions 1.6 and 1.9. However, upgrading from version 1.9 or later to any later 1.x version should be feasible with little or no effort for all users.
Workarounds
A workaround that works for both functions is to enforce a depth limit on the datastructure that is created from untrusted input. A limit of 1000 levels should prevent attacks from being successful on most systems. In systems with highly constrained hardware, we recommend lower limits, for example 100 levels.
Another possible workaround that only works for _.flatten, is to pass a second argument that limits the flattening depth to 1000 or less.
References
- https://github.com/jashkenas/underscore/issues/3011
- https://underscorejs.org/#1.13.8
- https://underscorejs.org/#flatten
- https://underscorejs.org/#isEqual
Severity ?
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.13.7"
},
"package": {
"ecosystem": "npm",
"name": "underscore"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.13.8"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-27601"
],
"database_specific": {
"cwe_ids": [
"CWE-674",
"CWE-770"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-03T17:46:06Z",
"nvd_published_at": "2026-03-03T23:15:55Z",
"severity": "HIGH"
},
"details": "### Impact\n\nIn simple words, some programs that use `_.flatten` or `_.isEqual` could be made to crash. Someone who wants to do harm may be able to do this on purpose. This can only be done if the program has special properties. It only works in Underscore versions up to 1.13.7. A more detailed explanation follows.\n\nIn affected versions of Underscore, the `_.flatten` and `_.isEqual` functions use recursion without a depth limit. Under very specific conditions, detailed below, an attacker could exploit this in a Denial of Service (DoS) attack by triggering a stack overflow.\n\nA proof of concept (PoC) for this type of attack with `_.isEqual`:\n\n```js\nconst _ = require(\u0027underscore\u0027);\n\n// build JSON string for nested object ~4500 levels deep\n// (for this to be an attack, the JSON would have to come from\n// a request or other untrusted input)\nlet json = \u0027\u0027;\nfor (let i = 0; i \u003c 4500; i++) json += \u0027{\"n\":\u0027;\njson += \u0027\"x\"\u0027;\nfor (let i = 0; i \u003c 4500; i++) json += \u0027}\u0027;\n\n// construct two distinct objects with equal shape from the above JSON\nconst a = JSON.parse(json);\nconst b = JSON.parse(json);\n\n_.isEqual(a, b); // RangeError: Maximum call stack size exceeded\n```\n\nA proof of concept (PoC) for this type of attack with `_.flatten`:\n\n```js\nconst _ = require(\u0027underscore\u0027);\n\n// build nested array ~4500 levels deep\n// (like with _.isEqual, this nested array would have to be sourced\n// from an untrusted external source for it to be an attack)\nlet nested = [];\nfor (let i = 0; i \u003c 4500; i++) nested = [nested];\n\n_.flatten(nested); // RangeError: Maximum call stack size exceeded\n```\n\nAn application that crashes because of this can be restarted, so the bug is most relevant to applications for which continued operation is important, such as server applications. Furthermore, an application is only vulnerable to this type of attack if ALL of the following conditions are met:\n\n- Untrusted input must be used to create a recursive datastructure, for example using `JSON.parse`, with no enforced depth limit.\n- The datastructure thus created must be passed to `_.flatten` or `_.isEqual`.\n- In the case of `_.flatten`, the vulnerability can only be exploited if it is possible for a remote client to prepare a datastructure that consists of arrays at all levels AND if no finite depth limit is passed as the second argument to `_.flatten`.\n- In the case of `_.isEqual`, the vulnerability can only be exploited if there exists a code path in which two distinct datastructures that were submitted by the same remote client are compared using `_.isEqual`. For example, if a client submits data that are stored in a database, and the same client can later submit another datastructure that is then compared to the data that were saved in the database previously, OR if a client submits a single request, but its data are parsed twice, creating two non-identical but equivalent datastructures that are then compared.\n- Exceptions originating from the call to `_.flatten` or `_.isEqual`, as a result of a stack overflow, are not being caught.\n\nAll versions of Underscore up to and including 1.13.7 are affected by this weakness.\n\n### Patches\n\nThe problem has been patched in version 1.13.8. Upgrading to 1.13.8 or later completely prevents exploitation.\n\n**Note:** historically, there have been breaking changes in minor releases of Underscore, especially between versions 1.6 and 1.9. However, upgrading from version 1.9 or later to any later 1.x version should be feasible with little or no effort for all users.\n\n### Workarounds\n\nA workaround that works for both functions is to enforce a depth limit on the datastructure that is created from untrusted input. A limit of 1000 levels should prevent attacks from being successful on most systems. In systems with highly constrained hardware, we recommend lower limits, for example 100 levels.\n\nAnother possible workaround that only works for `_.flatten`, is to pass a second argument that limits the flattening depth to 1000 or less.\n\n### References\n\n- https://github.com/jashkenas/underscore/issues/3011\n- https://underscorejs.org/#1.13.8\n- https://underscorejs.org/#flatten\n- https://underscorejs.org/#isEqual",
"id": "GHSA-qpx9-hpmf-5gmw",
"modified": "2026-03-04T02:00:05Z",
"published": "2026-03-03T17:46:06Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/jashkenas/underscore/security/advisories/GHSA-qpx9-hpmf-5gmw"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27601"
},
{
"type": "WEB",
"url": "https://github.com/jashkenas/underscore/issues/3011"
},
{
"type": "WEB",
"url": "https://github.com/jashkenas/underscore/commit/411e222eb0ca5d570cc4f6315c02c05b830ed2b4"
},
{
"type": "WEB",
"url": "https://github.com/jashkenas/underscore/commit/a6e23ae9647461ec33ad9f92a2ecfc220eea0a84"
},
{
"type": "PACKAGE",
"url": "https://github.com/jashkenas/underscore"
},
{
"type": "WEB",
"url": "https://underscorejs.org/#1.13.8"
},
{
"type": "WEB",
"url": "https://underscorejs.org/#flatten"
},
{
"type": "WEB",
"url": "https://underscorejs.org/#isEqual"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Underscore has unlimited recursion in _.flatten and _.isEqual, potential for DoS attack"
}
Loading…
Show additional events:
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…