Home / Vulnerability Intelligence / CVE-2026-29091

CVE-2026-29091 - Vulnerability Analysis

HighCVSS: 8.1

Last Updated: March 9, 2026

Locutus - Remote Code Execution

Published: March 6, 2026Updated: March 9, 2026Remote Exploitable

Overview

Locutus < 3.0.0 contains a remote code execution caused by improper validation in call_user_func_array function, letting remote attackers inject arbitrary JavaScript code, exploit requires crafted callback input.

Severity & Score

Severity: High

CVSS Score: 8.1

EPSS Score: 25.3%(Probability of exploitation in next 30 days)

Impact

Attackers can execute arbitrary JavaScript code remotely, potentially leading to full system compromise.

Mitigation

Update to version 3.0.0 or later.

References

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Mar 7, 2026

🟠 CVE-2026-29091 - High (8.1) Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Prior to version 3.0.0, a remote code execution (RCE) flaw was discovered in the locutus project, specifically within the call_user_func_array function i... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-29091/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-29091
Severity: High
CVSS Score: 8.1
Type: remote_code_execution
Status: unconfirmed
EPSS: 25.3%
Social Posts: 1

CWE

CWE-95

CVSS Metrics

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score

25.3%Probability of exploitation in the next 30 days