Summary
flotr2.min.js (including the latest v2.0.2 release) bundles Underscore.js 1.1.7, which is affected by CVE-2026-27601 (CVSS 7.5 HIGH).
Vulnerability details
CVE: CVE-2026-27601
Advisory: GHSA-qpx9-hpmf-5gmw
Affected component: Underscore.js < 1.13.8 (bundled in flotr2.min.js as version 1.1.7)
Type: Denial of Service (DoS) via stack overflow
CWE: CWE-770 (Allocation of Resources Without Limits or Throttling)
The _.flatten and _.isEqual functions in Underscore.js use recursion without a depth limit. An attacker who can supply crafted recursive data structures (e.g. via JSON.parse) to these functions can trigger a stack overflow, causing the application to become unresponsive.
Affected Flotr2 builds
All current build outputs that bundle dependencies are affected:
flotr2.js
flotr2.min.js
flotr2.ie.min.js
The flotr2.nolibs.js / flotr2.nolibs.min.js builds are not affected since they do not bundle Underscore.js.
Reproduction
The bundled Underscore.js version can be confirmed by inspecting flotr2.min.js:
// Underscore.js 1.1.7
// (c) 2011 Jeremy Ashkenas, DocumentCloud Inc.
And in the minified code: w.VERSION="1.1.7"
Requested fix
Update the bundled Underscore.js dependency from 1.1.7 to 1.13.8 or later, which contains the fix (commit 411e222).
The Underscore.js API is backwards-compatible for the subset of functions Flotr2 uses (_.each, _.map, _.filter, _.extend, _.clone, _.bind, _.keys, _.isFunction, _.isArray, etc.), so this should be a safe upgrade.
Summary
flotr2.min.js (including the latest v2.0.2 release) bundles Underscore.js 1.1.7, which is affected by CVE-2026-27601 (CVSS 7.5 HIGH).
Vulnerability details
CVE: CVE-2026-27601
Advisory: GHSA-qpx9-hpmf-5gmw
Affected component: Underscore.js < 1.13.8 (bundled in flotr2.min.js as version 1.1.7)
Type: Denial of Service (DoS) via stack overflow
CWE: CWE-770 (Allocation of Resources Without Limits or Throttling)
The _.flatten and _.isEqual functions in Underscore.js use recursion without a depth limit. An attacker who can supply crafted recursive data structures (e.g. via JSON.parse) to these functions can trigger a stack overflow, causing the application to become unresponsive.
Affected Flotr2 builds
All current build outputs that bundle dependencies are affected:
flotr2.js
flotr2.min.js
flotr2.ie.min.js
The flotr2.nolibs.js / flotr2.nolibs.min.js builds are not affected since they do not bundle Underscore.js.
Reproduction
The bundled Underscore.js version can be confirmed by inspecting flotr2.min.js:
// Underscore.js 1.1.7
// (c) 2011 Jeremy Ashkenas, DocumentCloud Inc.
And in the minified code: w.VERSION="1.1.7"
Requested fix
Update the bundled Underscore.js dependency from 1.1.7 to 1.13.8 or later, which contains the fix (commit 411e222).
The Underscore.js API is backwards-compatible for the subset of functions Flotr2 uses (_.each, _.map, _.filter, _.extend, _.clone, _.bind, _.keys, _.isFunction, _.isArray, etc.), so this should be a safe upgrade.