Browse all 5 CVE security advisories affecting locutusjs. AI-powered Chinese analysis, POCs, and references for each vulnerability.
Locutusjs is a JavaScript library providing PHP-compatible functions for Node.js environments, commonly used for code migration and compatibility. Historically, it has faced vulnerabilities including remote code execution (RCE), cross-site scripting (XSS), and privilege escalation, primarily through insecure input handling and flawed function implementations. The library's security issues often stem from its goal of emulating PHP's behavior without proper sanitization. Five CVEs have been recorded, highlighting risks in functions that process untrusted data. While no major public incidents have been widely reported, the consistent pattern of vulnerabilities suggests developers should implement additional input validation and consider alternatives for security-sensitive applications.
| CVE ID | Title | CVSS | Severity | Published |
|---|---|---|---|---|
| CVE-2026-33994 | Locutus Prototype Pollution due to incomplete fix for CVE-2026-25521 — locutusCWE-1321 | 9.8 | - | 2026-03-27 |
| CVE-2026-33993 | Locutus has Prototype Pollution via __proto__ Key Injection in unserialize() — locutusCWE-1321 | 9.8 | - | 2026-03-27 |
| CVE-2026-32304 | Locutus: RCE via unsanitized input in create_function() — locutusCWE-94 | 9.8 | Critical | 2026-03-12 |
| CVE-2026-29091 | Locutus: Remote Code Execution (RCE) in locutus call_user_func_array due to Code Injection — locutusCWE-95 | 8.1 | High | 2026-03-06 |
| CVE-2026-25521 | Locutus is vulnerable to Prototype Pollution — locutusCWE-1321 | 9.8 | - | 2026-02-04 |
This page lists every published CVE security advisory associated with locutusjs. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.