Vulnerability Description
Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Prior to version 3.0.0, a remote code execution (RCE) flaw was discovered in the locutus project, specifically within the call_user_func_array function implementation. The vulnerability allows an attacker to inject arbitrary JavaScript code into the application's runtime environment. This issue stems from an insecure implementation of the call_user_func_array function (and its wrapper call_user_func), which fails to properly validate all components of a callback array before passing them to eval(). This issue has been patched in version 3.0.0.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Locutus | Locutus | < 3.0.0 |
Related Weaknesses (CWE)
References
- https://github.com/locutusjs/locutus/commit/977a1fb169441e35996a1d2465b512322de5Patch
- https://github.com/locutusjs/locutus/security/advisories/GHSA-fp25-p6mj-qqg6ExploitMitigationVendor Advisory
- https://github.com/locutusjs/locutus/security/advisories/GHSA-fp25-p6mj-qqg6ExploitMitigationVendor Advisory
FAQ
What is CVE-2026-29091?
CVE-2026-29091 is a vulnerability with a CVSS score of 8.1 (HIGH). Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Prior to version 3.0.0, a remote code execution (RCE) flaw was discovered in the locutus project, specific...
How severe is CVE-2026-29091?
CVE-2026-29091 has been rated HIGH with a CVSS base score of 8.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-29091?
Check the references section above for vendor advisories and patch information. Affected products include: Locutus Locutus.