Versions of package locutus before 2.0.12 are vulnerable to prototype Pollution via the php.strings.parse_str function.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HLocutus
APPLocutus< 2.0.12
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
Related vulnerabilities
CVE-2026-32304CRITICAL9.8PL ✓ten sam produkt
Locutus: RCE w funkcji create_function() przez brak sanityzacji danych wejściowych
CVE-2026-25521CRITICAL9.4PL ✓ten sam produkt
Prototype pollution w bibliotece Locutus (JavaScript stdlibs)
CVE-2026-29091HIGH8.1ten sam produkt
Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Prior to version...
CVE-2026-33993MEDIUM6.9ten sam produkt
Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Prior to version...
CVE-2026-33994MEDIUM6.3ten sam produkt
Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Starting in vers...