locutus

npm4 known CVEs affecting this package

Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.

CVEs affecting locutuspage 1 of 1

CVE-2020-13619CRITICALCVSS 9.8EG 9.8
2020-07-01
php/exec/escapeshellarg in Locutus PHP through 2.0.11 allows an attacker to achieve code execution.
CVE-2020-7719CRITICALCVSS 9.8EG 9.8✓ Fixed in 2.0.12
2020-09-01
Versions of package locutus before 2.0.12 are vulnerable to prototype Pollution via the php.strings.parse_str function.
CVE-2021-23392MEDIUMCVSS 5.3EG 5.3✓ Fixed in 2.0.15
2021-06-08
The package locutus before 2.0.15 are vulnerable to Regular Expression Denial of Service (ReDoS) via the gopher_parsedir function.
CVE-2026-25521HIGHCVSS 8.8EG 8.8✓ Fixed in 2.0.39
2026-02-04
Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. In versions from 2.0.12 to before 2.0.39, a prototype pollution vulnerability exists in locutus. Despite a previous fix that attempted to mitigat…

Check whether locutus is used in your infrastructure

EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for locutus CVEs against the assets you own.

Start Free Scan →