CVE-2026-41507
Remote Code Execution (RCE) via String Literal Injection into math-codegen
CVSS Score
9.8
EPSS Score
0.0%
EPSS Percentile
0th
math-codegen generates code from mathematical expressions. Prior to version 0.4.3, string literal content passed to cg.parse() is injected verbatim into a new Function() body without sanitization. This allows an attacker to execute arbitrary system commands when user-controlled input reaches the parser. Any application exposing a math evaluation endpoint where user input flows into cg.parse() is vulnerable to full RCE. This issue has been patched in version 0.4.3.
| CWE | CWE-94 |
| Vendor | mauriciopoppe |
| Product | math-codegen |
| Published | May 8, 2026 |
| Last Updated | May 8, 2026 |
Stay Ahead of the Next One
Get instant alerts for mauriciopoppe math-codegen
Be the first to know when new critical vulnerabilities affecting mauriciopoppe math-codegen are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Affected Versions
mauriciopoppe / math-codegen
< 0.4.3