CVE-2026-32304
CRITICALlocutus < 3.0.14 - Remote Code Execution via create_function
Title source: llmDescription
Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Prior to 3.0.14, the create_function(args, code) function passes both parameters directly to the Function constructor without any sanitization, allowing arbitrary code execution. This is distinct from CVE-2026-29091 which was call_user_func_array using eval() in v2.x. This finding affects create_function using new Function() in v3.x. This vulnerability is fixed in 3.0.14.
References (2)
Core 2
Core References
Vendor Advisory x_refsource_confirm
https://github.com/locutusjs/locutus/security/advisories/GHSA-vh9h-29pq-r5m8
Release Notes x_refsource_misc
https://github.com/locutusjs/locutus/releases/tag/v3.0.14
Scores
CVSS v3
9.8
EPSS
0.0016
EPSS Percentile
36.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
total
Details
CWE
CWE-94
Status
published
Products (3)
locutus/locutus
< 3.0.14
locutusjs/locutus
< 3.0.14
npm/locutus
0 - 3.0.14npm
Published
Mar 13, 2026
Tracked Since
Mar 14, 2026