CVE Catalog

CVE-2026-32304

CriticalCVSS 9.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.57%

43th percentile - higher than 43% of all known CVEs

Summary

Locutus library before version 3.0.14 has a vulnerability in the create_function(args, code) function that passes both parameters directly to the Function constructor without sanitization, allowing arbitrary JavaScript code execution.

Risk Assessment

An attacker can remotely execute arbitrary JavaScript code in the context of the application using Locutus, potentially leading to session hijacking, data theft, or further attack escalation.

Recommendation

Immediately update the Locutus library to version 3.0.14 or later, which includes a fix for this vulnerability.

Original NVD description (English source)

Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Prior to 3.0.14, the create_function(args, code) function passes both parameters directly to the Function constructor without any sanitization, allowing arbitrary code execution. This is distinct from CVE-2026-29091 which was call_user_func_array using eval() in v2.x. This finding affects create_function using new Function() in v3.x. This vulnerability is fixed in 3.0.14.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS