Skip to main content

Locutus

2 CVEs product

Monthly

Sort: Newest CVSS Score EPSS Score Oldest
CVE-2026-29091 npm HIGH PATCH This Week

Remote code execution in Locutus prior to version 3.0.0 allows unauthenticated remote attackers to execute arbitrary JavaScript code through improper validation in the call_user_func_array function, which unsafely passes user-controlled callback parameters to eval(). Applications using the vulnerable versions of this JavaScript standard library implementation are at risk of complete compromise through network-based attacks. No patch is currently available for affected deployments.

RCE Code Injection Locutus Red Hat
NVD GitHub VulDB
CVSS 3.1
8.1
EPSS
0.3%
CVE-2026-25521 npm HIGH POC PATCH This Week

Locutus versions up to 2.0.39 is affected by improperly controlled modification of object prototype attributes (prototype pollution) (CVSS 8.8).

Code Injection Locutus Red Hat
NVD GitHub
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-29091 npm
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Remote code execution in Locutus prior to version 3.0.0 allows unauthenticated remote attackers to execute arbitrary JavaScript code through improper validation in the call_user_func_array function, which unsafely passes user-controlled callback parameters to eval(). Applications using the vulnerable versions of this JavaScript standard library implementation are at risk of complete compromise through network-based attacks. No patch is currently available for affected deployments.

RCE Code Injection Locutus +1
NVD GitHub VulDB
CVE-2026-25521 npm
EPSS 0% CVSS 8.8
HIGH POC PATCH This Week

Locutus versions up to 2.0.39 is affected by improperly controlled modification of object prototype attributes (prototype pollution) (CVSS 8.8).

Code Injection Locutus Red Hat
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy