cbcvebase.
CVE-2026-32304
published 2026-03-13

CVE-2026-32304: Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Prior to 3.0.14, the create_function(args, code) function passes…

PriorityP259critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.57%
42.9th percentile
Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Prior to 3.0.14, the create_function(args, code) function passes both parameters directly to the Function constructor without any sanitization, allowing arbitrary code execution. This is distinct from CVE-2026-29091 which was call_user_func_array using eval() in v2.x. This finding affects create_function using new Function() in v3.x. This vulnerability is fixed in 3.0.14.

Affected

2 ranges
VendorProductVersion rangeFixed in
locutuslocutus< 3.0.143.0.14
locutuslocutus>= 0 < 3.0.143.0.14

Detection & IOCsextracted from sources · hover to see the quote

  • Vulnerable function is `create_function(args, code)` in Locutus v3.x, which passes both parameters directly to the JavaScript `Function` constructor (`new Function()`) without sanitization, enabling arbitrary code execution.
  • Monitor for invocations of `create_function` in JavaScript environments using the Locutus library (locutusjs), particularly where user-controlled input is passed as arguments or code parameters to `new Function()`.
  • ·This CVE (create_function via new Function() in v3.x) is distinct from CVE-2026-29091, which involved call_user_func_array using eval() in v2.x. Ensure detection rules target the correct Locutus version branch (v3.x) and the correct sink (new Function(), not eval()).
  • ·Multiple Red Hat OpenShift Logging Subsystem packages are affected but marked 'Will not fix', meaning patching to Locutus 3.0.14 may not be available through those package channels.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
ghsa8.1HIGH
osv8.1HIGH
vendor_redhat8.1HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.