locutus
npm6 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting locutuspage 1 of 1
- CVE-2020-13619CRITICALCVSS 9.8EG 9.82020-07-01
php/exec/escapeshellarg in Locutus PHP through 2.0.11 allows an attacker to achieve code execution.
- CVE-2020-7719CRITICALCVSS 9.8EG 9.8✓ Fixed in 2.0.122020-09-01
Versions of package locutus before 2.0.12 are vulnerable to prototype Pollution via the php.strings.parse_str function.
- CVE-2021-23392MEDIUMCVSS 5.3EG 5.3✓ Fixed in 2.0.152021-06-08
The package locutus before 2.0.15 are vulnerable to Regular Expression Denial of Service (ReDoS) via the gopher_parsedir function.
- CVE-2026-25521CRITICALCVSS 9.3EG 8.8✓ Fixed in 2.0.392026-02-04
Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. In versions from 2.0.12 to before 2.0.39, a prototype pollution vulnerability exists in locutus. Despite a previous fix that attempted to mitigat…
- CVE-2026-29091HIGHCVSS 8.1EG 8.1✓ Fixed in 3.0.02026-03-06
Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Prior to version 3.0.0, a remote code execution (RCE) flaw was discovered in the locutus project, specifically within the call_user_func_array fu…
- CVE-2026-32304CRITICALCVSS 9.8EG 9.8✓ Fixed in 3.0.142026-03-13
Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Prior to 3.0.14, the create_function(args, code) function passes both parameters directly to the Function constructor without any sanitization, a…
Check whether locutus is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for locutus CVEs against the assets you own.
Start Free Scan →