Home / Vulnerability Intelligence / CVE-2026-32304

CVE-2026-32304 - Vulnerability Analysis

CriticalCVSS: 9.8

Last Updated: March 13, 2026

Locutus - Remote Code Execution

Published: March 13, 2026Updated: March 13, 2026Remote Exploitable

Overview

Locutus < 3.0.14 contains a remote code execution caused by unsanitized parameters passed to the Function constructor in create_function, letting attackers execute arbitrary code remotely, exploit requires crafted input.

Severity & Score

Severity: Critical

CVSS Score: 9.8

EPSS Score: 7.8%(Probability of exploitation in next 30 days)

Impact

Attackers can execute arbitrary code remotely, potentially compromising the system.

Mitigation

Upgrade to version 3.0.14 or later.

References

Social Media Activity(3 posts)

TheHackerWire

@thehackerwire

Mar 13, 2026

🔴 CVE-2026-32304 - Critical (9.8) Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Prior to 3.0.14, the create_function(args, code) function passes both parameters directly to the Function constructor without any sanitization, allowing ... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-32304/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

TheHackerWire

@thehackerwire

Mar 13, 2026

View original post

Offensive Sequence

@offseq

Mar 13, 2026

🔴 CRITICAL: CVE-2026-32304 in locutusjs (<3.0.14) enables unauthenticated remote code execution via create_function() and unsanitized inputs. Patch to 3.0.14+ now! Full details: https://radar.offseq.com/threat/cve-2026-32304-cwe-94-improper-control-of-generati-7207fd62 #OffSeq #Vuln #JavaScript #Infosec

View original post

Related Resources

Details

CVE ID: CVE-2026-32304
Severity: Critical
CVSS Score: 9.8
Type: command_injection
Status: new
EPSS: 7.8%
Social Posts: 3

CWE

CWE-94

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score

7.8%Probability of exploitation in the next 30 days