Locutusjs is a JavaScript library that provides standard libraries from other programming languages for educational purposes. The vulnerability identified as CVE-2026-32304 resides in the create_function(args, code) function of locutus versions prior to 3.0.14. This function constructs new JavaScript functions by passing the provided arguments and code strings directly to the native Function constructor without any input sanitization or validation. This improper control of code generation (CWE-94) enables attackers to inject arbitrary JavaScript code, leading to remote code execution in the context of the application using locutus. Unlike the related CVE-2026-29091 affecting version 2.x via eval(), this vulnerability specifically involves the use of new Function() in version 3.x. The vulnerability is remotely exploitable without requiring authentication or user interaction, making it highly dangerous. The CVSS v3.1 base score is 9.8, indicating critical severity with network attack vector, low attack complexity, no privileges required, no user interaction, and full impact on confidentiality, integrity, and availability. The vulnerability was published on March 12, 2026, and fixed in locutus version 3.0.14. No public exploits have been observed yet, but the flaw’s nature suggests a high likelihood of exploitation once discovered by attackers.

The impact of CVE-2026-32304 is severe for organizations using locutusjs in their software stacks, especially in web applications or educational tools that rely on dynamic code generation. Successful exploitation allows attackers to execute arbitrary JavaScript code remotely, potentially leading to full system compromise, data theft, unauthorized access, and disruption of services. Since the vulnerability affects confidentiality, integrity, and availability, attackers could manipulate application behavior, exfiltrate sensitive data, or cause denial of service. The lack of authentication and user interaction requirements increases the risk of automated attacks and wormable exploits. Organizations that embed locutusjs in client-facing or backend services risk widespread compromise if not patched promptly. The educational focus of locutusjs means that development environments and learning platforms could be targeted to gain footholds for further attacks. Additionally, supply chain risks exist if locutusjs is included as a dependency in larger projects.

To mitigate CVE-2026-32304, organizations should immediately upgrade locutusjs to version 3.0.14 or later, where the vulnerability is fixed by proper sanitization and control of code generation inputs. Review all uses of create_function() in the codebase and replace or refactor any dynamic function generation to avoid passing unsanitized input to the Function constructor. Implement strict input validation and sanitization for any user-controllable data that might be used in dynamic code generation contexts. Employ Content Security Policy (CSP) headers to restrict the execution of inline scripts and dynamically generated code where feasible. Monitor application logs and network traffic for unusual activity indicative of code injection attempts. For development and educational environments, restrict network access and isolate vulnerable systems until patched. Finally, maintain an updated inventory of dependencies and apply security patches promptly to reduce exposure.