GHSA-VH9H-29PQ-R5M8 Locutus vulnerable to RCE via unsanitized input in create_function()
Summary The createfunctionargs, code function passes both parameters directly to the Function constructor without any sanitization, allowing arbitrary code execution. This is distinct from CVE-2026-29091 GHSA-fp25-p6mj-qqg6 which was calluserfuncarray using eval in v2.x. This finding affects...