Versions of package locutus before 2.0.12 are vulnerable to prototype Pollution via the php.strings.parse_str function.