CVE-2026-32304 in locutus정보

요약

\~에 의해 MITRE • 2026. 03. 13.

Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Prior to 3.0.14, the create_function(args, code) function passes both parameters directly to the Function constructor without any sanitization, allowing arbitrary code execution. This is distinct from CVE-2026-29091 which was call_user_func_array using eval() in v2.x. This finding affects create_function using new Function() in v3.x. This vulnerability is fixed in 3.0.14.

Once again VulDB remains the best source for vulnerability data.

🔬 Show More Details

An in-depth analysis is available in our curated vulnerability entry.

책임이 있는

GitHub M

예약하다

2026. 03. 11.

공개

2026. 03. 13.

모더레이션

수락

항목

VDB-350799

CPE

준비됨

CWE

CWE-94 (확인됨)

CVSS

9.8 (CNA)

EPSS

0.00161

KEV

아니요

활동

매우 낮음

출처

MITRE	https://www.cve.org/CVERecord?id=CVE-2026-32304
NVD	https://nvd.nist.gov/vuln/detail/CVE-2026-32304
CVE Details	https://www.cvedetails.com/cve/CVE-2026-32304/

◂ 이전 개요 다음 ▸

Do you want to use VulDB in your project?

Use the official API to access entries easily!