CVE-2026-40897

HIGH

mathjs <15.2.0 - Code Injection

Title source: llm

Description

Math.js is an extensive math library for JavaScript and Node.js. From 13.1.1 to before 15.2.0, a vulnerability allowed executing arbitrary JavaScript via the expression parser of mathjs. You can be affected when you have an application where users can evaluate arbitrary expressions using the mathjs expression parser. This vulnerability is fixed in 15.2.0.

References (3)

[Vendor Advisory] https://github.com/josdejong/mathjs/security/advisories/GHSA-29qv-4j9f-fjw5

[Issue Tracking] https://github.com/josdejong/mathjs/pull/3656

[Patch] https://github.com/josdejong/mathjs/commit/513ab2a0e01004af91b31aada68fae8a821326ad

View Patch ZIP pw:eip

Scores

CVSS v3 8.8

EPSS 0.0009

EPSS Percentile 25.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-915

Status published

Products (1)

mathjs/mathjs 13.1.1 - 15.2.0

Published Apr 24, 2026

Tracked Since Apr 27, 2026