CVE-2026-33994

A flaw was found in the locutus npm package. A prototype pollution vulnerability exists in the parsestr function. A remote attacker can exploit this by crafting a malicious query string and overriding RegExp.prototype.test, leading to the pollution of Object.prototype. This bypasses existing...

CVE-2026-33994

Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Starting in version 2.0.39 and prior to version 3.0.25, a prototype pollution vulnerability exists in the parsestr function of the npm package locutus. An attacker can pollute Object.prototype by...

CVE-2026-33994

Locutus (npm) in parse_str.js is affected by a prototype-pollution vulnerability in versions 2.0.39 through 3.0.24, due to an incomplete fix for CVE-2026-25521. The attack can pollute Object.prototype by overriding RegExp.prototype.test and supplying a crafted query string, bypassing the guard th...

CVE-2026-33994 Locutus Prototype Pollution due to incomplete fix for CVE-2026-25521

Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Starting in version 2.0.39 and prior to version 3.0.25, a prototype pollution vulnerability exists in the parsestr function of the npm package locutus. An attacker can pollute Object.prototype by...

CVE-2026-33994 Locutus Prototype Pollution due to incomplete fix for CVE-2026-25521

Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Starting in version 2.0.39 and prior to version 3.0.25, a prototype pollution vulnerability exists in the parsestr function of the npm package locutus. An attacker can pollute Object.prototype by...

CVE-2026-33994 Locutus Prototype Pollution due to incomplete fix for CVE-2026-25521

Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Starting in version 2.0.39 and prior to version 3.0.25, a prototype pollution vulnerability exists in the parsestr function of the npm package locutus. An attacker can pollute Object.prototype by...

CVE-2026-33994

Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Starting in version 2.0.39 and prior to version 3.0.25, a prototype pollution vulnerability exists in the parsestr function of the npm package locutus. An attacker can pollute Object.prototype by...

Prototype Pollution

Overview locutus is a Locutus other languages' stadard libraries to JavaScript for fun and educational purposes Affected versions of this package are vulnerable to Prototype Pollution in the parsestr function. An attacker can modify the prototype of built-in objects by overriding...

GHSA-VC8F-X9PP-WF5P Locutus Prototype Pollution due to incomplete fix for CVE-2026-25521

Summary A prototype pollution vulnerability exists in the parsestr function of the npm package locutus. An attacker can pollute Object.prototype by overriding RegExp.prototype.test and then passing a crafted query string to parsestr, bypassing the prototype pollution guard. This vulnerability ste...

Locutus 安全漏洞

Locutus is an open-source JavaScript library developed by Locutus. Versions of Locutus from 2.0.39 to 3.0.25 contained security vulnerabilities. These vulnerabilities stemmed from a bypassable prototype pollution protection mechanism in the parsestr function, which could lead to prototype polluti...

GHSA-RXRV-835Q-V5MH locutus is vulnerable to Prototype Pollution

Summary A Prototype Pollution vulnerability exists in the the npm package locutus 2.0.12. Despite a previous fix that attempted to mitigate Prototype Pollution by checking whether user input contained a forbidden key, it is still possible to pollute Object.prototype via a crafted input using...

EUVD-2021-1057

Malware in sbrugna...

EUVD-2021-1131

Malware in sbrugna...

SUSE CVE-2005-3389

The parsestr function in PHP 4.x up to 4.4.0 and 5.x up to 5.0.5, when called with only one parameter, allows remote attackers to enable the registerglobals directive via inputs that cause a request to be terminated due to the memorylimit setting, which causes PHP to set an internal flag that...

GHSA-M428-JQC4-2P5J Prototype Pollution in phpjs

All versions of phpjs up to and including 1.3.2 are vulnerable to Prototype Pollution via parsestr. phpjs is no longer maintained and users are advised to use Locutus as a replacement https://github.com/locutusjs/locutus...

Prototype Pollution in phpjs

All versions of phpjs up to and including 1.3.2 are vulnerable to Prototype Pollution via parsestr. phpjs is no longer maintained and users are advised to use Locutus as a replacement https://github.com/locutusjs/locutus...

Prototype Pollution

locutus is vulnerable to prototype pollution. The vulnerability exists as the php.strings.parsestr function does not restrict proto, constructor and prototype headers to be set in objects...

Prototype Pollution in kvz/locutus

Description phpjs is a community built PHP binding in JavaScript. This package is vulnerable to Prototype Pollution via parsestr. Proof of Concept const phpjs = require'phpjs'; phpjs.parsestr"protopolluted=true",; console.logpolluted;...

CVE-2020-7700

All versions of phpjs are vulnerable to Prototype Pollution via parsestr...

Code injection

All versions of phpjs are vulnerable to Prototype Pollution via parsestr...