Cyber Resilience

CVE-2026-29091

HighPublic PoCRCEUpdated

Published: 06 March 2026

Published
06 March 2026
Modified
30 June 2026
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0063 45.6th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-29091 is a high-severity Eval Injection (CWE-95) vulnerability in Locutus Locutus. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 45.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-6 (Configuration Settings).

Deeper analysis

CVE-2026-29091 is a remote code execution (RCE) vulnerability in the Locutus project, a JavaScript library that ports standard libraries from other programming languages for educational purposes. The flaw affects versions prior to 3.0.0 and resides in the implementation of the call_user_func_array function and its wrapper call_user_func. Due to insufficient validation of callback array components, the functions pass untrusted input directly to eval(), enabling arbitrary JavaScript code injection into the application's runtime environment. The issue is rated with a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-95 (Improper Neutralization of Directives in Dynamically Evaluated Code).

A remote attacker without privileges can exploit this vulnerability over the network by supplying a specially crafted callback array to the affected functions. Exploitation requires high attack complexity but no user interaction. Successful exploitation grants the attacker the ability to execute arbitrary JavaScript code within the application's runtime, potentially leading to high confidentiality, integrity, and availability impacts, such as data theft, modification, or denial of service.

The vulnerability has been patched in Locutus version 3.0.0, as detailed in the project's GitHub security advisory (GHSA-fp25-p6mj-qqg6) and the specific commit (977a1fb169441e35996a1d2465b512322de500ad). Security practitioners should upgrade to version 3.0.0 or later to mitigate the issue.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Prior to version 3.0.0, a remote code execution (RCE) flaw was discovered in the locutus project, specifically within the call_user_func_array function implementation. The vulnerability allows an attacker to…

more

inject arbitrary JavaScript code into the application's runtime environment. This issue stems from an insecure implementation of the call_user_func_array function (and its wrapper call_user_func), which fails to properly validate all components of a callback array before passing them to eval(). This issue has been patched in version 3.0.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

CVE-2026-29091 is a network-accessible (AV:N/PR:N) RCE vulnerability exploitable without privileges or user interaction, directly mapping to exploitation of public-facing applications.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-32304Same product: Locutus Locutus
CVE-2026-33994Same product: Locutus Locutus
CVE-2026-33993Same product: Locutus Locutus
CVE-2026-25521Same product: Locutus Locutus
CVE-2026-44128Shared CWE-95
CVE-2026-33618Shared CWE-95
CVE-2013-10051Shared CWE-95
CVE-2025-8420Shared CWE-95
CVE-2026-4001Shared CWE-95
CVE-2024-10633Shared CWE-95

Affected Assets

locutus
locutus
≤ 3.0.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the RCE flaw in Locutus by requiring timely identification, reporting, and correction through upgrading to version 3.0.0 or later.

prevent

Requires validation of untrusted inputs such as callback arrays to prevent improper neutralization and subsequent injection into eval().

prevent

Enforces secure configuration settings for software libraries like Locutus, ensuring only patched versions are deployed to mitigate the vulnerability.

References