CVEDB API

Vulnerabilities

Vulnerable Software

Vulnerability Details CVE-2026-33993

Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Prior to version 3.0.25, the `unserialize()` function in `locutus/php/var/unserialize` assigns deserialized keys to plain objects via bracket notation without filtering the `__proto__` key. When a PHP serialized payload contains `__proto__` as an array or object key, JavaScript's `__proto__` setter is invoked, replacing the deserialized object's prototype with attacker-controlled content. This enables property injection, for...in propagation of injected properties, and denial of service via built-in method override. This is distinct from the previously reported prototype pollution in `parse_str` (GHSA-f98m-q3hr-p5wq, GHSA-rxrv-835q-v5mh) — `unserialize` is a different function with no mitigation applied. Version 3.0.25 patches the issue.

Exploit prediction scoring system (EPSS) score

EPSS Score 0.0

EPSS Ranking 13.2%

CVSS Severity

CVSS v3 Score 9.8

References

Products affected by CVE-2026-33993

Locutus » Locutus » Version: N/A

cpe:2.3:a:locutus:locutus:-
Locutus » Locutus » Version: 1.3.2

cpe:2.3:a:locutus:locutus:1.3.2
Locutus » Locutus » Version: 2.0.0

cpe:2.3:a:locutus:locutus:2.0.0
Locutus » Locutus » Version: 2.0.1

cpe:2.3:a:locutus:locutus:2.0.1
Locutus » Locutus » Version: 2.0.10

cpe:2.3:a:locutus:locutus:2.0.10
Locutus » Locutus » Version: 2.0.11

cpe:2.3:a:locutus:locutus:2.0.11
Locutus » Locutus » Version: 2.0.12

cpe:2.3:a:locutus:locutus:2.0.12
Locutus » Locutus » Version: 2.0.13

cpe:2.3:a:locutus:locutus:2.0.13
Locutus » Locutus » Version: 2.0.14

cpe:2.3:a:locutus:locutus:2.0.14
Locutus » Locutus » Version: 2.0.15

cpe:2.3:a:locutus:locutus:2.0.15
Locutus » Locutus » Version: 2.0.16

cpe:2.3:a:locutus:locutus:2.0.16
Locutus » Locutus » Version: 2.0.17

cpe:2.3:a:locutus:locutus:2.0.17
Locutus » Locutus » Version: 2.0.19

cpe:2.3:a:locutus:locutus:2.0.19
Locutus » Locutus » Version: 2.0.2

cpe:2.3:a:locutus:locutus:2.0.2
Locutus » Locutus » Version: 2.0.20

cpe:2.3:a:locutus:locutus:2.0.20
Locutus » Locutus » Version: 2.0.21

cpe:2.3:a:locutus:locutus:2.0.21
Locutus » Locutus » Version: 2.0.22

cpe:2.3:a:locutus:locutus:2.0.22
Locutus » Locutus » Version: 2.0.23

cpe:2.3:a:locutus:locutus:2.0.23
Locutus » Locutus » Version: 2.0.24

cpe:2.3:a:locutus:locutus:2.0.24
Locutus » Locutus » Version: 2.0.25

cpe:2.3:a:locutus:locutus:2.0.25
Locutus » Locutus » Version: 2.0.26

cpe:2.3:a:locutus:locutus:2.0.26
Locutus » Locutus » Version: 2.0.27

cpe:2.3:a:locutus:locutus:2.0.27
Locutus » Locutus » Version: 2.0.28

cpe:2.3:a:locutus:locutus:2.0.28
Locutus » Locutus » Version: 2.0.29

cpe:2.3:a:locutus:locutus:2.0.29
Locutus » Locutus » Version: 2.0.3

cpe:2.3:a:locutus:locutus:2.0.3
Locutus » Locutus » Version: 2.0.30

cpe:2.3:a:locutus:locutus:2.0.30
Locutus » Locutus » Version: 2.0.31

cpe:2.3:a:locutus:locutus:2.0.31
Locutus » Locutus » Version: 2.0.32

cpe:2.3:a:locutus:locutus:2.0.32
Locutus » Locutus » Version: 2.0.33

cpe:2.3:a:locutus:locutus:2.0.33
Locutus » Locutus » Version: 2.0.34

cpe:2.3:a:locutus:locutus:2.0.34
Locutus » Locutus » Version: 2.0.35

cpe:2.3:a:locutus:locutus:2.0.35
Locutus » Locutus » Version: 2.0.36

cpe:2.3:a:locutus:locutus:2.0.36
Locutus » Locutus » Version: 2.0.37

cpe:2.3:a:locutus:locutus:2.0.37
Locutus » Locutus » Version: 2.0.38

cpe:2.3:a:locutus:locutus:2.0.38
Locutus » Locutus » Version: 2.0.39

cpe:2.3:a:locutus:locutus:2.0.39
Locutus » Locutus » Version: 2.0.4

cpe:2.3:a:locutus:locutus:2.0.4
Locutus » Locutus » Version: 2.0.5

cpe:2.3:a:locutus:locutus:2.0.5
Locutus » Locutus » Version: 2.0.6

cpe:2.3:a:locutus:locutus:2.0.6
Locutus » Locutus » Version: 2.0.7

cpe:2.3:a:locutus:locutus:2.0.7
Locutus » Locutus » Version: 2.0.8

cpe:2.3:a:locutus:locutus:2.0.8
Locutus » Locutus » Version: 2.0.9

cpe:2.3:a:locutus:locutus:2.0.9

Vulnerabilities

Vulnerable Software

Vulnerability Details CVE-2026-33993

Products

Pricing

Contact Us