CVE-2026-29091 is a remote code execution vulnerability identified in the locutus JavaScript library, specifically affecting versions prior to 3.0.0. Locutus is a library that ports standard libraries from other programming languages to JavaScript, primarily for educational purposes. The vulnerability exists in the implementation of the call_user_func_array function and its wrapper call_user_func. These functions accept a callback array, which is intended to specify a function and its context. However, the implementation fails to properly validate all components of this callback array before passing them to the JavaScript eval() function. This improper neutralization of directives in dynamically evaluated code (classified as CWE-95) enables an attacker to inject arbitrary JavaScript code into the runtime environment. Because eval() executes code with the privileges of the hosting environment, successful exploitation can lead to full remote code execution, compromising confidentiality, integrity, and availability of the affected system. The vulnerability does not require authentication or user interaction, increasing its risk profile. The issue was patched in locutus version 3.0.0 by correcting the validation logic to prevent unsafe code injection. No known exploits have been reported in the wild as of the publication date, but the high CVSS score of 8.1 reflects the critical nature of the flaw. This vulnerability is particularly relevant for developers and organizations using locutus in web applications or educational tools where untrusted input might reach these vulnerable functions.

The impact of CVE-2026-29091 is significant due to its remote code execution nature without requiring authentication or user interaction. An attacker exploiting this flaw can execute arbitrary JavaScript code within the context of the vulnerable application, potentially leading to full system compromise. This can result in data theft, unauthorized access, manipulation or destruction of data, and disruption of service. For organizations, this could mean exposure of sensitive information, loss of intellectual property, and damage to reputation. Since locutus is used primarily in educational contexts and some development environments, the risk extends to any web applications or services that incorporate this library without patching. The vulnerability could also be leveraged as a pivot point for further attacks within a compromised network. Although no active exploits are currently known, the ease of exploitation and the critical impact on confidentiality, integrity, and availability make this a high-risk vulnerability that demands prompt remediation.

Organizations should immediately upgrade all instances of the locutus library to version 3.0.0 or later, where the vulnerability has been patched. Additionally, developers should audit their codebases for any usage of call_user_func_array and call_user_func wrappers to ensure they do not pass untrusted input to eval() or similar dynamic code execution functions. Implement strict input validation and sanitization for any data that could influence callback arrays or dynamic code execution paths. Employ code reviews and static analysis tools to detect unsafe eval() usage patterns. Where possible, avoid using eval() altogether or replace it with safer alternatives. For environments where upgrading is not immediately feasible, consider applying runtime protections such as Content Security Policy (CSP) headers to restrict script execution or sandboxing vulnerable components. Monitoring and logging suspicious activity related to dynamic code execution can also help detect exploitation attempts early.