CVE-2026-41139

8.8 HIGH
Published: May 07, 2026 Modified: May 08, 2026
View on NVD

Description

Math.js is an extensive math library for JavaScript and Node.js. From version 13.1.0 to before version 15.2.0, arbitrary JavaScript can be executed via the expression parser of mathjs. This issue has been patched in version 15.2.0.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0
Vector String
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory
https://github.com/josdejong/mathjs/commit/0aee2f61866e35ffa0aef915221cdf6b026ffdd4
Source: security-advisories@github.com
Patch
https://github.com/josdejong/mathjs/commit/bcf0da46f0b8577ec03c9ecd7bff8b5c2543a611
Source: security-advisories@github.com
Patch
https://github.com/josdejong/mathjs/pull/3656
Source: security-advisories@github.com
Issue Tracking Patch
https://github.com/josdejong/mathjs/releases/tag/v15.2.0
Source: security-advisories@github.com
Release Notes
https://github.com/josdejong/mathjs/security/advisories/GHSA-5v89-rwgr-qj6g
Source: security-advisories@github.com
Patch Vendor Advisory

5 reference(s) from NVD

Quick Stats

CVSS v3 Score
8.8 / 10.0
EPSS (Exploit Probability)
0.5%
40th percentile
Exploitation Status
Not in CISA KEV

Weaknesses (CWE)

CWE-915

Affected Vendors

mathjs

Related CVEs

CVE-2026-12243 7.5
CVE-2026-8023 7.5
CVE-2026-7656 8.1
CVE-2026-51219 N/A
CVE-2026-51218 N/A