107 matches found
CVE-2026-33994
A flaw was found in the locutus npm package. A prototype pollution vulnerability exists in the parsestr function. A remote attacker can exploit this by crafting a malicious query string and overriding RegExp.prototype.test, leading to the pollution of Object.prototype. This bypasses existing...
CVE-2026-33993
A flaw was found in Locutus, a library that integrates standard libraries from other programming languages into JavaScript. The unserialize function, which converts serialized PHP data into JavaScript objects, fails to filter the proto key during deserialization. A remote attacker can exploit thi...
CVE-2026-33993
Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Prior to version 3.0.25, the unserialize function in locutus/php/var/unserialize assigns deserialized keys to plain objects via bracket notation without filtering the proto key. When a PHP serialized...
CVE-2026-33994
Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Starting in version 2.0.39 and prior to version 3.0.25, a prototype pollution vulnerability exists in the parsestr function of the npm package locutus. An attacker can pollute Object.prototype by...
CVE-2026-33994
Locutus (npm) in parse_str.js is affected by a prototype-pollution vulnerability in versions 2.0.39 through 3.0.24, due to an incomplete fix for CVE-2026-25521. The attack can pollute Object.prototype by overriding RegExp.prototype.test and supplying a crafted query string, bypassing the guard th...
CVE-2026-33994 Locutus Prototype Pollution due to incomplete fix for CVE-2026-25521
Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Starting in version 2.0.39 and prior to version 3.0.25, a prototype pollution vulnerability exists in the parsestr function of the npm package locutus. An attacker can pollute Object.prototype by...
CVE-2026-33994 Locutus Prototype Pollution due to incomplete fix for CVE-2026-25521
Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Starting in version 2.0.39 and prior to version 3.0.25, a prototype pollution vulnerability exists in the parsestr function of the npm package locutus. An attacker can pollute Object.prototype by...
CVE-2026-33994 Locutus Prototype Pollution due to incomplete fix for CVE-2026-25521
Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Starting in version 2.0.39 and prior to version 3.0.25, a prototype pollution vulnerability exists in the parsestr function of the npm package locutus. An attacker can pollute Object.prototype by...
CVE-2026-33994
Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Starting in version 2.0.39 and prior to version 3.0.25, a prototype pollution vulnerability exists in the parsestr function of the npm package locutus. An attacker can pollute Object.prototype by...
CVE-2026-33993
Locutus (locutus/php/var/unserialize) is affected by prototype pollution via the proto key during PHP unserialize deserialization. Before v3.0.25, unserialize assigns keys into plain objects using bracket notation, which can trigger the proto setter and replace the object prototype with attacker-...
CVE-2026-33993 Locutus has Prototype Pollution via __proto__ Key Injection in unserialize()
Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Prior to version 3.0.25, the unserialize function in locutus/php/var/unserialize assigns deserialized keys to plain objects via bracket notation without filtering the proto key. When a PHP serialized...
CVE-2026-33993
Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Prior to version 3.0.25, the unserialize function in locutus/php/var/unserialize assigns deserialized keys to plain objects via bracket notation without filtering the proto key. When a PHP serialized...
CVE-2026-33993 Locutus has Prototype Pollution via __proto__ Key Injection in unserialize()
Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Prior to version 3.0.25, the unserialize function in locutus/php/var/unserialize assigns deserialized keys to plain objects via bracket notation without filtering the proto key. When a PHP serialized...
1dr-twig-templating (=1.0.2), 433bf (=0.0.1) +950 more potentially affected by CVE-2026-33994 via locutus (=2.0.39)
locutus NPM version =2.0.39 is affected by a known vulnerability. The following packages have a transitive dependency on locutus and may be impacted: - 1dr-twig-templating =1.0.2 - 433bf =0.0.1 - @27works/posto =2.0.2 - @2gis/js-docs-generator =0.0.1, =0.0.1, =1.0.2, =1.0.5, =0.0.1, =0.1.0, =1.0....
EUVD-2026-16890
Locutus Prototype Pollution due to incomplete fix for CVE-2026-25521...
Locutus Prototype Pollution due to incomplete fix for CVE-2026-25521
Summary A prototype pollution vulnerability exists in the parsestr function of the npm package locutus. An attacker can pollute Object.prototype by overriding RegExp.prototype.test and then passing a crafted query string to parsestr, bypassing the prototype pollution guard. This vulnerability ste...
GHSA-VC8F-X9PP-WF5P Locutus Prototype Pollution due to incomplete fix for CVE-2026-25521
Summary A prototype pollution vulnerability exists in the parsestr function of the npm package locutus. An attacker can pollute Object.prototype by overriding RegExp.prototype.test and then passing a crafted query string to parsestr, bypassing the prototype pollution guard. This vulnerability ste...
1dr-twig-templating (=1.0.2), 433bf (=0.0.1) +950 more potentially affected by CVE-2026-25521 +1 more via locutus (=2.0.39)
locutus NPM version =2.0.39 is affected by a known vulnerability. The following packages have a transitive dependency on locutus and may be impacted: - 1dr-twig-templating =1.0.2 - 433bf =0.0.1 - @27works/posto =2.0.2 - @2gis/js-docs-generator =0.0.1, =0.0.1, =1.0.2, =1.0.5, =0.0.1, =0.1.0, =1.0....
Locutus has Prototype Pollution via __proto__ Key Injection in unserialize()
Summary The unserialize function in locutus/php/var/unserialize assigns deserialized keys to plain objects via bracket notation without filtering the proto key. When a PHP serialized payload contains proto as an array or object key, JavaScript's proto setter is invoked, replacing the deserialized...
GHSA-4MPH-V827-F877 Locutus has Prototype Pollution via __proto__ Key Injection in unserialize()
Summary The unserialize function in locutus/php/var/unserialize assigns deserialized keys to plain objects via bracket notation without filtering the proto key. When a PHP serialized payload contains proto as an array or object key, JavaScript's proto setter is invoked, replacing the deserialized...