{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-05-07T19:50:49.279","vulnerabilities":[{"cve":{"id":"CVE-2026-25521","sourceIdentifier":"security-advisories@github.com","published":"2026-02-04T22:15:59.203","lastModified":"2026-02-20T21:20:40.797","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. In versions from 2.0.12 to before 2.0.39, a prototype pollution vulnerability exists in locutus. Despite a previous fix that attempted to mitigate prototype pollution by checking whether user input contained a forbidden key, it is still possible to pollute Object.prototype via a crafted input using String.prototype. This issue has been patched in version 2.0.39."},{"lang":"es","value":"Locutus incorpora librerías estándar de otros lenguajes de programación a JavaScript con fines educativos. En las versiones desde la 2.0.12 hasta antes de la 2.0.39, existe una vulnerabilidad de contaminación de prototipos en Locutus. A pesar de una corrección anterior que intentó mitigar la contaminación de prototipos verificando si la entrada del usuario contenía una clave prohibida, todavía es posible contaminar Object.prototype mediante una entrada manipulada utilizando String.prototype. Este problema ha sido corregido en la versión 2.0.39."}],"metrics":{"cvssMetricV40":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":9.4,"baseSeverity":"CRITICAL","attackVector":"LOCAL","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnAvailabilityImpact":"HIGH","subConfidentialityImpact":"HIGH","subIntegrityImpact":"HIGH","subAvailabilityImpact":"HIGH","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.0,"impactScore":6.0}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-1321"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:locutus:locutus:*:*:*:*:*:node.js:*:*","versionStartIncluding":"2.0.12","versionEndExcluding":"2.0.39","matchCriteriaId":"F90DC302-09EA-4098-98B1-8B553D0A7C9E"}]}]}],"references":[{"url":"https://github.com/locutusjs/locutus/commit/042af9ca7fde2ff599120783e720a17f335bb01c","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/locutusjs/locutus/security/advisories/GHSA-rxrv-835q-v5mh","source":"security-advisories@github.com","tags":["Exploit","Vendor Advisory"]}]}}]}