CVE-2026-29091

High CVSS: 8.1

Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Prior to version 3.0.0, a remote code execution (RCE) flaw was discovered in the locutus project, specifically within the call_user_func_array function implementation. The vulnerability allows an attacker to inject arbitrary JavaScript code into the application's runtime environment. This issue stems from an insecure implementation of the call_user_func_array function (and its wrapper call_user_func), which fails to properly validate all components of a callback array before passing them to eval(). This issue has been patched in version 3.0.0.

Vendor

Locutus

Product

Locutus

CWE

CWE-95

Yayın Tarihi

2026-03-06 18:16:20

Güncelleme

2026-03-13 19:07:16

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-95 Locutus HIGH Locutus 2026

Referanslar

https://github.com/locutusjs/locutus/commit/977a1fb169441e35996a1d2465b512322de500ad https://github.com/locutusjs/locutus/security/advisories/GHSA-fp25-p6mj-qqg6 https://github.com/locutusjs/locutus/security/advisories/GHSA-fp25-p6mj-qqg6

Benzer Kayıtlar

Medium

CVE-2026-33993

Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Prior to version 3.0.25, t…

Medium

CVE-2026-33994

Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Starting in version 2.0.39…

Critical

CVE-2026-32304

Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Prior to 3.0.14, the creat…

Critical

CVE-2026-25521

Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. In versions from 2.0.12 to…