While working on blueprint project, I scanned the project dependencies using a vulnerability scanner and identified CVE-2026-29091 affecting the locutus package. The issue exists in the implementation of the call_user_func_array function in vulnerable versions of the library. The vulnerability occurs because the function does not properly validate the method identifier in callback arrays and relies on the use of eval() internally.
CVE Link
CVE Report
While working on blueprint project, I scanned the project dependencies using a vulnerability scanner and identified CVE-2026-29091 affecting the locutus package. The issue exists in the implementation of the
call_user_func_arrayfunction in vulnerable versions of the library. The vulnerability occurs because the function does not properly validate the method identifier in callback arrays and relies on the use ofeval()internally.CVE Link
CVE Report