CVE-2026-41139
Math.js is an extensive math library for JavaScript and Node.js. From version 13.1.0 to before version 15.2.0, arbitrary JavaScript can be e
CVSS
8.8
High
EPSS
0.6%
p44
KEV
—
Exploit Today
13
0-100
Published: May 7, 2026 · Last modified: Jul 15, 2026 · CWE-915 · CWE-94
0.6%EPSS · 30 days0.6%
2026-06-302026-07-17
Math.js is an extensive math library for JavaScript and Node.js. From version 13.1.0 to before version 15.2.0, arbitrary JavaScript can be executed via the expression parser of mathjs. This issue has been patched in version 15.2.0.
- github.comhttps://github.com/josdejong/mathjs/commit/0aee2f61866e35ffa0aef915221cdf6b026ffdd4
- github.comhttps://github.com/josdejong/mathjs/commit/bcf0da46f0b8577ec03c9ecd7bff8b5c2543a611
- github.comhttps://github.com/josdejong/mathjs/pull/3656
- github.comhttps://github.com/josdejong/mathjs/releases/tag/v15.2.0
- github.comhttps://github.com/josdejong/mathjs/security/advisories/GHSA-5v89-rwgr-qj6g
- access.redhat.comhttps://access.redhat.com/security/cve/CVE-2026-41139
- bugzilla.redhat.comhttps://bugzilla.redhat.com/show_bug.cgi?id=2467648
- security.access.redhat.comhttps://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-41139.json
CVECVSSEPSSKEVRExploitTitleMod.
CVE-2025-32489.8 CRI100.0%
KEV—80Langflow Missing Authentication Vulnerability3dCVE-2026-341978.8 HIG99.9%
KEV—80Apache ActiveMQ Improper Input Validation Vulnerability3dCVE-2026-154107.2 HIG71.1%
KEV—71SonicWall SMA1000 Appliances Code Injection Vulnerability2dCVE-2025-670389.8 CRI55.3%
KEV—67Lantronix EDS5000 Code Injection Vulnerability12dCVE-2021-416539.8 CRI99.5%
——30The PING function on the TP-Link TL-WR840N EU v5 router with firmware through TL-WR840N(EU)_V5_171211 is vulnerable to remote code execution via a crafted payload in an IP address input field.9dCVE-2023-362558.8 HIG99.0%
——30An issue in Eramba Limited Eramba Enterprise and Community edition v.3.19.1 allows a remote attacker to execute arbitrary code via the path parameter in the URL.9d