CVE-2026-40897 — HIGH (8.8)

Q: How severe is CVE-2026-40897?

CVE-2026-40897 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2026-40897?

Check the references section above for vendor advisories and patch information. Affected products include: Mathjs Mathjs.

Vulnerability Description

Math.js is an extensive math library for JavaScript and Node.js. From 13.1.1 to before 15.2.0, a vulnerability allowed executing arbitrary JavaScript via the expression parser of mathjs. You can be affected when you have an application where users can evaluate arbitrary expressions using the mathjs expression parser. This vulnerability is fixed in 15.2.0.

CVSS Score

8.8

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Mathjs	Mathjs	>= 13.1.1, < 15.2.0

Related Weaknesses (CWE)

CWE-915

References

https://github.com/josdejong/mathjs/commit/513ab2a0e01004af91b31aada68fae8a82132Patch
https://github.com/josdejong/mathjs/pull/3656Issue Tracking
https://github.com/josdejong/mathjs/security/advisories/GHSA-29qv-4j9f-fjw5Vendor Advisory

FAQ

What is CVE-2026-40897?

CVE-2026-40897 is a vulnerability with a CVSS score of 8.8 (HIGH). Math.js is an extensive math library for JavaScript and Node.js. From 13.1.1 to before 15.2.0, a vulnerability allowed executing arbitrary JavaScript via the expression parser of mathjs. You can be af...

How severe is CVE-2026-40897?

CVE-2026-40897 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2026-40897?

Check the references section above for vendor advisories and patch information. Affected products include: Mathjs Mathjs.