CVE-2026-32304
CriticalCVSS 9.8Exploitation Probability (EPSS)
Low risk43th percentile - higher than 43% of all known CVEs
Summary
Locutus library before version 3.0.14 has a vulnerability in the create_function(args, code) function that passes both parameters directly to the Function constructor without sanitization, allowing arbitrary JavaScript code execution.
Risk Assessment
An attacker can remotely execute arbitrary JavaScript code in the context of the application using Locutus, potentially leading to session hijacking, data theft, or further attack escalation.
Recommendation
Immediately update the Locutus library to version 3.0.14 or later, which includes a fix for this vulnerability.
Original NVD description (English source)
Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Prior to 3.0.14, the create_function(args, code) function passes both parameters directly to the Function constructor without any sanitization, allowing arbitrary code execution. This is distinct from CVE-2026-29091 which was call_user_func_array using eval() in v2.x. This finding affects create_function using new Function() in v3.x. This vulnerability is fixed in 3.0.14.

