CVE-2026-40897

HIGH

mathjs 13.1.1-15.1.9 - Remote Code Execution via Expression Parser

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-40897. PoCs published by EQSTLab.

AI-analyzed exploit summary The repository contains only a minimal README with a CVE identifier and a reference to 'mathjs' but no exploit code, technical details, or analysis. It appears to be a placeholder or incomplete submission.

Description

Math.js is an extensive math library for JavaScript and Node.js. From 13.1.1 to before 15.2.0, a vulnerability allowed executing arbitrary JavaScript via the expression parser of mathjs. You can be affected when you have an application where users can evaluate arbitrary expressions using the mathjs expression parser. This vulnerability is fixed in 15.2.0.

Exploits (1)

nomisec STUB
by EQSTLab · poc
https://github.com/EQSTLab/CVE-2026-40897

The repository contains only a minimal README with a CVE identifier and a reference to 'mathjs' but no exploit code, technical details, or analysis. It appears to be a placeholder or incomplete submission.

Classification
Stub 90%
Attack Type
Other
Complexity
Trivial
Reliability
Theoretical
Target: mathjs (version unspecified)
No auth needed
Prerequisites: none specified
devstral-2 · analyzed May 07, 2026 Full analysis →

References (3)

Core 3

Scores

CVSS v3 8.8
EPSS 0.0044
EPSS Percentile 34.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-915
Status published
Products (2)
mathjs/mathjs 13.1.1 - 15.2.0
npm/mathjs 13.1.1 - 15.2.0npm
Published Apr 24, 2026
Tracked Since Apr 27, 2026