107 matches found
CVE-2026-33994
A flaw was found in the locutus npm package. A prototype pollution vulnerability exists in the parsestr function. A remote attacker can exploit this by crafting a malicious query string and overriding RegExp.prototype.test, leading to the pollution of Object.prototype. This bypasses existing...
CVE-2026-33993
A flaw was found in Locutus, a library that integrates standard libraries from other programming languages into JavaScript. The unserialize function, which converts serialized PHP data into JavaScript objects, fails to filter the proto key during deserialization. A remote attacker can exploit thi...
CVE-2026-33993
Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Prior to version 3.0.25, the unserialize function in locutus/php/var/unserialize assigns deserialized keys to plain objects via bracket notation without filtering the proto key. When a PHP serialized...
CVE-2026-33994
Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Starting in version 2.0.39 and prior to version 3.0.25, a prototype pollution vulnerability exists in the parsestr function of the npm package locutus. An attacker can pollute Object.prototype by...
CVE-2026-33994 Locutus Prototype Pollution due to incomplete fix for CVE-2026-25521
Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Starting in version 2.0.39 and prior to version 3.0.25, a prototype pollution vulnerability exists in the parsestr function of the npm package locutus. An attacker can pollute Object.prototype by...
CVE-2026-33994
Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Starting in version 2.0.39 and prior to version 3.0.25, a prototype pollution vulnerability exists in the parsestr function of the npm package locutus. An attacker can pollute Object.prototype by...
CVE-2026-33994
Locutus (npm) in parse_str.js is affected by a prototype-pollution vulnerability in versions 2.0.39 through 3.0.24, due to an incomplete fix for CVE-2026-25521. The attack can pollute Object.prototype by overriding RegExp.prototype.test and supplying a crafted query string, bypassing the guard th...
CVE-2026-33994 Locutus Prototype Pollution due to incomplete fix for CVE-2026-25521
Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Starting in version 2.0.39 and prior to version 3.0.25, a prototype pollution vulnerability exists in the parsestr function of the npm package locutus. An attacker can pollute Object.prototype by...
CVE-2026-33994 Locutus Prototype Pollution due to incomplete fix for CVE-2026-25521
Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Starting in version 2.0.39 and prior to version 3.0.25, a prototype pollution vulnerability exists in the parsestr function of the npm package locutus. An attacker can pollute Object.prototype by...
CVE-2026-33993 Locutus has Prototype Pollution via __proto__ Key Injection in unserialize()
Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Prior to version 3.0.25, the unserialize function in locutus/php/var/unserialize assigns deserialized keys to plain objects via bracket notation without filtering the proto key. When a PHP serialized...
CVE-2026-33993
Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Prior to version 3.0.25, the unserialize function in locutus/php/var/unserialize assigns deserialized keys to plain objects via bracket notation without filtering the proto key. When a PHP serialized...
CVE-2026-33993 Locutus has Prototype Pollution via __proto__ Key Injection in unserialize()
Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Prior to version 3.0.25, the unserialize function in locutus/php/var/unserialize assigns deserialized keys to plain objects via bracket notation without filtering the proto key. When a PHP serialized...
CVE-2026-33993
Locutus (locutus/php/var/unserialize) is affected by prototype pollution via the proto key during PHP unserialize deserialization. Before v3.0.25, unserialize assigns keys into plain objects using bracket notation, which can trigger the proto setter and replace the object prototype with attacker-...
1dr-twig-templating (=1.0.2), 433bf (=0.0.1) +950 more potentially affected by CVE-2026-25521 +1 more via locutus (=2.0.39)
locutus NPM version =2.0.39 is affected by a known vulnerability. The following packages have a transitive dependency on locutus and may be impacted: - 1dr-twig-templating =1.0.2 - 433bf =0.0.1 - @27works/posto =2.0.2 - @2gis/js-docs-generator =0.0.1, =0.0.1, =1.0.2, =1.0.5, =0.0.1, =0.1.0, =1.0....
EUVD-2026-16890
Locutus Prototype Pollution due to incomplete fix for CVE-2026-25521...
1dr-twig-templating (=1.0.2), 433bf (=0.0.1) +950 more potentially affected by CVE-2026-33994 via locutus (=2.0.39)
locutus NPM version =2.0.39 is affected by a known vulnerability. The following packages have a transitive dependency on locutus and may be impacted: - 1dr-twig-templating =1.0.2 - 433bf =0.0.1 - @27works/posto =2.0.2 - @2gis/js-docs-generator =0.0.1, =0.0.1, =1.0.2, =1.0.5, =0.0.1, =0.1.0, =1.0....
GHSA-VC8F-X9PP-WF5P Locutus Prototype Pollution due to incomplete fix for CVE-2026-25521
Summary A prototype pollution vulnerability exists in the parsestr function of the npm package locutus. An attacker can pollute Object.prototype by overriding RegExp.prototype.test and then passing a crafted query string to parsestr, bypassing the prototype pollution guard. This vulnerability ste...
Locutus Prototype Pollution due to incomplete fix for CVE-2026-25521
Summary A prototype pollution vulnerability exists in the parsestr function of the npm package locutus. An attacker can pollute Object.prototype by overriding RegExp.prototype.test and then passing a crafted query string to parsestr, bypassing the prototype pollution guard. This vulnerability ste...
Prototype Pollution
Overview locutus is a Locutus other languages' stadard libraries to JavaScript for fun and educational purposes Affected versions of this package are vulnerable to Prototype Pollution in the unserialize function. An attacker can inject arbitrary properties into the prototype of deserialized...
1dr-twig-templating (=1.0.2), 433bf (=0.0.1) +955 more potentially affected by CVE-2026-33993 via locutus (>=2.0.10 <=2.0.39)
locutus NPM version =2.0.10, =0.0.1, =0.0.1, =1.0.2, =1.0.5, =0.0.1, =0.1.0, =1.0.0, =0.2.0, =0.9.0-rc.0 - @alchmy/generator-alchmy =0.0.206147191 and more Source cves: CVE-2026-33993 Source advisory: OSV:GHSA-4MPH-V827-F877...