CVE-2026-41139 — HIGH (8.8)

Q: How severe is CVE-2026-41139?

CVE-2026-41139 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2026-41139?

Check the references section above for vendor advisories and patch information. Affected products include: Mathjs Mathjs.

Vulnerability Description

Math.js is an extensive math library for JavaScript and Node.js. From version 13.1.0 to before version 15.2.0, arbitrary JavaScript can be executed via the expression parser of mathjs. This issue has been patched in version 15.2.0.

CVSS Score

8.8

HIGH

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Mathjs	Mathjs	>= 13.1.0, < 15.2.0

Related Weaknesses (CWE)

CWE-915

References

https://github.com/josdejong/mathjs/commit/0aee2f61866e35ffa0aef915221cdf6b026ffPatch
https://github.com/josdejong/mathjs/commit/bcf0da46f0b8577ec03c9ecd7bff8b5c2543aPatch
https://github.com/josdejong/mathjs/pull/3656Issue TrackingPatch
https://github.com/josdejong/mathjs/releases/tag/v15.2.0Release Notes
https://github.com/josdejong/mathjs/security/advisories/GHSA-5v89-rwgr-qj6gPatchVendor Advisory

FAQ

What is CVE-2026-41139?

CVE-2026-41139 is a vulnerability with a CVSS score of 8.8 (HIGH). Math.js is an extensive math library for JavaScript and Node.js. From version 13.1.0 to before version 15.2.0, arbitrary JavaScript can be executed via the expression parser of mathjs. This issue has ...

How severe is CVE-2026-41139?

CVE-2026-41139 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2026-41139?

Check the references section above for vendor advisories and patch information. Affected products include: Mathjs Mathjs.