Filtered by vendor Locutus
Subscriptions
Filtered by product Locutus
Subscriptions
Total
4 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-29091 | 1 Locutus | 1 Locutus | 2026-03-09 | 8.1 High |
| Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Prior to version 3.0.0, a remote code execution (RCE) flaw was discovered in the locutus project, specifically within the call_user_func_array function implementation. The vulnerability allows an attacker to inject arbitrary JavaScript code into the application's runtime environment. This issue stems from an insecure implementation of the call_user_func_array function (and its wrapper call_user_func), which fails to properly validate all components of a callback array before passing them to eval(). This issue has been patched in version 3.0.0. | ||||
| CVE-2026-25521 | 1 Locutus | 1 Locutus | 2026-02-20 | 8.8 High |
| Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. In versions from 2.0.12 to before 2.0.39, a prototype pollution vulnerability exists in locutus. Despite a previous fix that attempted to mitigate prototype pollution by checking whether user input contained a forbidden key, it is still possible to pollute Object.prototype via a crafted input using String.prototype. This issue has been patched in version 2.0.39. | ||||
| CVE-2021-23392 | 1 Locutus | 1 Locutus | 2024-11-21 | 5.3 Medium |
| The package locutus before 2.0.15 are vulnerable to Regular Expression Denial of Service (ReDoS) via the gopher_parsedir function. | ||||
| CVE-2020-7719 | 1 Locutus | 1 Locutus | 2024-11-21 | 9.8 Critical |
| Versions of package locutus before 2.0.12 are vulnerable to prototype Pollution via the php.strings.parse_str function. | ||||
Page 1 of 1.