CVE-2026-33993

🗓️ 27 Mar 2026 22:14:03Reported by GitHub_MType

cve🔗 web.nvd.nist.gov👁 21 Views🌐 WEB

Prototype pollution in Locutus unserialize before 3.0.25 via __proto__ key injection.

Reporter	Title	Published	Views	Family All 14
ATTACKERKB	CVE-2026-33993	27 Mar 202622:14	–	attackerkb
Circl	CVE-2026-33993	25 Mar 202612:56	–	circl
CNNVD	Locutus 安全漏洞	27 Mar 202600:00	–	cnnvd
Cvelist	CVE-2026-33993 Locutus has Prototype Pollution via __proto__ Key Injection in unserialize()	27 Mar 202622:14	–	cvelist
EUVD	EUVD-2026-16888	27 Mar 202617:57	–	euvd
Github Security Blog	Locutus has Prototype Pollution via __proto__ Key Injection in unserialize()	27 Mar 202617:57	–	github
NVD	CVE-2026-33993	27 Mar 202623:17	–	nvd
OSV	CVE-2026-33993 Locutus has Prototype Pollution via __proto__ Key Injection in unserialize()	27 Mar 202622:14	–	osv
OSV	GHSA-4MPH-V827-F877 Locutus has Prototype Pollution via __proto__ Key Injection in unserialize()	27 Mar 202617:57	–	osv
Positive Technologies	PT-2026-28587	27 Mar 202600:00	–	ptsecurity

NVD

Vulners

Node

locutus locutusRange<3.0.25node.js

[
  {
    "vendor": "locutusjs",
    "product": "locutus",
    "versions": [
      {
        "version": "< 3.0.25",
        "status": "affected"
      }
    ]
  }
]

Source	Link
github	www.github.com/locutusjs/locutus/pull/597
github	www.github.com/locutusjs/locutus/security/advisories/GHSA-4mph-v827-f877
github	www.github.com/locutusjs/locutus/commit/345a6211e1e6f939f96a7090bfeff642c9fcf9e4
github	www.github.com/locutusjs/locutus/releases/tag/v3.0.25

Parameter	Position	Path	Description	CWE
__proto__	request body	locutus/php/var/unserialize	Prototype pollution via unserialize in Locutus before 3.0.25 allows injecting into object's prototype by __proto__ key in PHP serialized payload.	CWE-1321

17 Jun 2026 10:38Current

5.9Medium risk

Vulners AI Score5.9

CVSS 3.19.8

CVSS 46.9

EPSS0.00583

SSVC

CWE-1321