HIGH SeverityCVSS 3.08.8CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVE-2026-41139

Last updated May 07, 2026 · Published May 07, 2026

Description

Math.js is an extensive math library for JavaScript and Node.js. From version 13.1.0 to before version 15.2.0, arbitrary JavaScript can be executed via the expression parser of mathjs. This issue has been patched in version 15.2.0.

Affected products

1 listed

josdejong:mathjs

Mappings

CWE

CWE-915

CAPEC

None listed.

Research

Mass assignment vulnerability: prevention with DTOs and allow-listsMass assignment lets attackers set fields you never meant to expose, like isAdmin or balance. Use DTOs,…

Training

Input Validation and Schema EnforcementValidate early, validate strictly - schemas, allowlists, and type-safe boundaries.

CVE-2026-41139

Description

Affected products

Mappings

Related