CVE-2026-41139

HIGH 8.8

Unsafe array index getter in mathjs

CVSS Score

8.8

EPSS Score

0.0%

EPSS Percentile

0th

Math.js is an extensive math library for JavaScript and Node.js. From version 13.1.0 to before version 15.2.0, arbitrary JavaScript can be executed via the expression parser of mathjs. This issue has been patched in version 15.2.0.

CWE	CWE-915
Vendor	josdejong
Product	mathjs
Published	May 7, 2026

Stay Ahead of the Next One

Get instant alerts for josdejong mathjs

Be the first to know when new high vulnerabilities affecting josdejong mathjs are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected Versions

josdejong / mathjs

>= 13.1.0, < 15.2.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/josdejong/mathjs/security/advisories/GHSA-5v89-rwgr-qj6g github.com: https://github.com/josdejong/mathjs/pull/3656 github.com: https://github.com/josdejong/mathjs/commit/0aee2f61866e35ffa0aef915221cdf6b026ffdd4 github.com: https://github.com/josdejong/mathjs/commit/bcf0da46f0b8577ec03c9ecd7bff8b5c2543a611 github.com: https://github.com/josdejong/mathjs/releases/tag/v15.2.0