locutus 関連製品全体の CVE とセキュリティ脆弱性情報を集約し、CVSS、EPSS、公開日、脆弱性情報データを掲載しています。
過去の問題は主に vendor risk denial of service などに関し、一部は アプリケーションクラッシュ を招き、vendor surface software deployment and vendor surface production workloads 関連の場面に影響します。
掲載データは公開脆弱性情報とセキュリティ公告に基づき、過去の暴露面と修補優先度の評価に利用できます。
| CVE | 概要 | ソース | CVSS 最大値 | EPSS(%) | 公開 | 更新 |
|---|---|---|---|---|---|---|
| CVE-2026-33994 | Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Starting in version 2.0.39 and prior to version 3.0.25, a prototype pollution vulnerability exists in the `parse_str` function of the npm package locutus. An attacker can pollute `Object.prototype` by overriding `RegExp.prototype.test` and then passing a crafted query string to `parse_str`, bypassing the prototype pollution guard. This vulnerability stems from an incomplete fix for CVE-2026-25521. The C | [email protected] | 6.3 | 0.07% | 2026-03-27 | 2026-04-01 |
| CVE-2026-33993 | Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Prior to version 3.0.25, the `unserialize()` function in `locutus/php/var/unserialize` assigns deserialized keys to plain objects via bracket notation without filtering the `__proto__` key. When a PHP serialized payload contains `__proto__` as an array or object key, JavaScript's `__proto__` setter is invoked, replacing the deserialized object's prototype with attacker-controlled content. This enables p | [email protected] | 6.9 | 0.05% | 2026-03-27 | 2026-04-01 |
| CVE-2026-32304 | Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Prior to 3.0.14, the create_function(args, code) function passes both parameters directly to the Function constructor without any sanitization, allowing arbitrary code execution. This is distinct from CVE-2026-29091 which was call_user_func_array using eval() in v2.x. This finding affects create_function using new Function() in v3.x. This vulnerability is fixed in 3.0.14. | [email protected] | 9.8 | 0.15% | 2026-03-13 | 2026-03-19 |
| CVE-2026-29091 | Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Prior to version 3.0.0, a remote code execution (RCE) flaw was discovered in the locutus project, specifically within the call_user_func_array function implementation. The vulnerability allows an attacker to inject arbitrary JavaScript code into the application's runtime environment. This issue stems from an insecure implementation of the call_user_func_array function (and its wrapper call_user_func), w | [email protected] | 8.1 | 0.48% | 2026-03-06 | 2026-03-13 |
| CVE-2026-25521 | Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. In versions from 2.0.12 to before 2.0.39, a prototype pollution vulnerability exists in locutus. Despite a previous fix that attempted to mitigate prototype pollution by checking whether user input contained a forbidden key, it is still possible to pollute Object.prototype via a crafted input using String.prototype. This issue has been patched in version 2.0.39. | [email protected] | 9.4 | 0.01% | 2026-02-04 | 2026-02-20 |
| CVE-2021-23392 | The package locutus before 2.0.15 are vulnerable to Regular Expression Denial of Service (ReDoS) via the gopher_parsedir function. | [email protected] | 5.3 | 0.41% | 2021-06-08 | 2024-11-21 |
| CVE-2020-7719 | Versions of package locutus before 2.0.12 are vulnerable to prototype Pollution via the php.strings.parse_str function. | [email protected] | 9.8 | 1.72% | 2020-09-01 | 2024-11-21 |
| CVE-2020-13619 | php/exec/escapeshellarg in Locutus PHP through 2.0.11 allows an attacker to achieve code execution. | [email protected] | 9.8 | 1.22% | 2020-07-01 | 2024-11-21 |