CVE-2026-29091
HIGHlocutus < 3.0.0 - Remote Code Execution via call_user_func_array Eval Injection
Title source: llmDescription
Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Prior to version 3.0.0, a remote code execution (RCE) flaw was discovered in the locutus project, specifically within the call_user_func_array function implementation. The vulnerability allows an attacker to inject arbitrary JavaScript code into the application's runtime environment. This issue stems from an insecure implementation of the call_user_func_array function (and its wrapper call_user_func), which fails to properly validate all components of a callback array before passing them to eval(). This issue has been patched in version 3.0.0.
References (2)
Core 2
Core References
Vendor Advisory x_refsource_confirm
https://github.com/locutusjs/locutus/security/advisories/GHSA-fp25-p6mj-qqg6
Scores
CVSS v3
8.1
EPSS
0.0063
EPSS Percentile
45.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
total
Details
CWE
CWE-95
Status
published
Products (1)
locutus/locutus
< 3.0.0
Published
Mar 06, 2026
Tracked Since
Mar 07, 2026