Arbitrary JS Code Execution via Unsanitized create_function in Locutus <3.0.14
CVE-2026-32304 Published on March 12, 2026

Locutus: RCE via unsanitized input in create_function()
Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Prior to 3.0.14, the create_function(args, code) function passes both parameters directly to the Function constructor without any sanitization, allowing arbitrary code execution. This is distinct from CVE-2026-29091 which was call_user_func_array using eval() in v2.x. This finding affects create_function using new Function() in v3.x. This vulnerability is fixed in 3.0.14.

NVD

Vulnerability Analysis

CVE-2026-32304 is exploitable with network access, and requires small amount of user privileges. This vulnerability is consided to have a high level of attack complexity. An automatable proof of concept (POC) exploit exists. The potential impact of an exploit of this vulnerability is considered to be very high.

Attack Vector:
NETWORK
Attack Complexity:
HIGH
Privileges Required:
LOW
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
HIGH
Integrity Impact:
HIGH
Availability Impact:
HIGH

Weakness Types

What is a Code Injection Vulnerability?

The software constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

CVE-2026-32304 has been classified to as a Code Injection vulnerability or weakness.

What is an Argument Injection Vulnerability?

The software constructs a string for a command to executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string.

CVE-2026-32304 has been classified to as an Argument Injection vulnerability or weakness.


Products Associated with CVE-2026-32304

Want to know whenever a new CVE is published for Red Hat Logging? stack.watch will email you.

 

Affected Versions

locutusjs locutus: Logging Subsystem for Red Hat OpenShift: Logging Subsystem for Red Hat OpenShift: Logging Subsystem for Red Hat OpenShift: Logging Subsystem for Red Hat OpenShift: Logging Subsystem for Red Hat OpenShift: Logging Subsystem for Red Hat OpenShift:

Exploit Probability

EPSS
0.55%
Percentile
41.75%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.