{"id":"CVE-2026-32304","summary":"Locutus: RCE via unsanitized input in create_function()","details":"Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Prior to 3.0.14, the create_function(args, code) function passes both parameters directly to the Function constructor without any sanitization, allowing arbitrary code execution. This is distinct from CVE-2026-29091 which was call_user_func_array using eval() in v2.x. This finding affects create_function using new Function() in v3.x. This vulnerability is fixed in 3.0.14.","aliases":["GHSA-vh9h-29pq-r5m8"],"modified":"2026-04-10T05:42:22.753017Z","published":"2026-03-12T21:24:51.730Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/32xxx/CVE-2026-32304.json","cwe_ids":["CWE-94"],"cna_assigner":"GitHub_M"},"references":[{"type":"WEB","url":"https://github.com/locutusjs/locutus/releases/tag/v3.0.14"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/32xxx/CVE-2026-32304.json"},{"type":"ADVISORY","url":"https://github.com/locutusjs/locutus/security/advisories/GHSA-vh9h-29pq-r5m8"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32304"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/locutusjs/locutus","events":[{"introduced":"0"},{"fixed":"cd9304d5e02fb43c438a43ace4349226c6ddb0de"}]}],"versions":["v1.3.2","v2.0.0","v2.0.1","v2.0.10","v2.0.11","v2.0.12","v2.0.13","v2.0.14","v2.0.15","v2.0.16","v2.0.17","v2.0.19","v2.0.2","v2.0.20","v2.0.21","v2.0.22","v2.0.23","v2.0.24","v2.0.25","v2.0.26","v2.0.27","v2.0.28","v2.0.29","v2.0.3","v2.0.30","v2.0.32","v2.0.33","v2.0.34","v2.0.35","v2.0.36","v2.0.37","v2.0.38","v2.0.39","v2.0.4","v2.0.5","v2.0.6","v2.0.7","v2.0.8","v2.0.9","v3.0.0","v3.0.1","v3.0.10","v3.0.11","v3.0.12","v3.0.13","v3.0.2","v3.0.3","v3.0.4","v3.0.5","v3.0.6","v3.0.7","v3.0.8","v3.0.9"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-32304.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}