VYPR
Vendor

Locutus

Products
1
CVEs
5
Across products
5
Status
Private

Products

1

Recent CVEs

5
  • CVE-2026-33994CriMar 27, 2026
    risk 0.57cvss 9.8epss 0.01

    Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Starting in version 2.0.39 and prior to version 3.0.25, a prototype pollution vulnerability exists in the `parse_str` function of the npm package locutus. An attacker can pollute…

  • CVE-2026-33993CriMar 27, 2026
    risk 0.57cvss 9.8epss 0.01

    Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Prior to version 3.0.25, the `unserialize()` function in `locutus/php/var/unserialize` assigns deserialized keys to plain objects via bracket notation without filtering the `__proto__`…

  • CVE-2026-32304Mar 12, 2026
    risk 0.00cvss epss 0.01

    Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Prior to 3.0.14, the create_function(args, code) function passes both parameters directly to the Function constructor without any sanitization, allowing arbitrary code execution. This…

  • CVE-2026-29091Mar 6, 2026
    risk 0.00cvss epss 0.01

    Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Prior to version 3.0.0, a remote code execution (RCE) flaw was discovered in the locutus project, specifically within the call_user_func_array function implementation. The vulnerability…

  • CVE-2026-25521Feb 4, 2026
    risk 0.00cvss epss 0.00

    Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. In versions from 2.0.12 to before 2.0.39, a prototype pollution vulnerability exists in locutus. Despite a previous fix that attempted to mitigate prototype pollution by checking…