What is CVE-2026-41139?

CVE-2026-41139 is a high-severity vulnerability in Josdejong Mathjs, classified under Improperly Controlled Modification of Dynamically-Determined Object Attributes. CVSS score: 8.8/10. Published 2026-05-07.

How severe is CVE-2026-41139?

High severity. CVSS v3 base score is 8.8 out of 10.

Vulnerability in Josdejong Mathjs

CVE-2026-41139

Math.js is an extensive math library for JavaScript and Node.js. From version 13.1.0 to before version 15.2.0, arbitrary JavaScript can be executed via the expression parser of mathjs. This issue has been patched in version 15.2.0.

Vulnerability class: Mass Assignment

EPSS: 0.000 (12.8th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 8.8 (High). Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H.

Affected products

Josdejong Mathjs — versions >= 13.1.0, < 15.2.0
Mathjs

Weakness classification (CWE)

CWE-915 — Improperly Controlled Modification of Dynamically-Determined Object Attributes

References

https://github.com/josdejong/mathjs/security/advisories/GHSA-5v89-rwgr-qj6g (x_refsource_CONFIRM, Patch, Vendor Advisory)
https://github.com/josdejong/mathjs/pull/3656 (Patch, x_refsource_MISC, Issue Tracking)
https://github.com/josdejong/mathjs/commit/0aee2f61866e35ffa0aef915221cdf6b026ffdd4 (Patch, x_refsource_MISC)
https://github.com/josdejong/mathjs/commit/bcf0da46f0b8577ec03c9ecd7bff8b5c2543a611 (Patch, x_refsource_MISC)
https://github.com/josdejong/mathjs/releases/tag/v15.2.0 (x_refsource_MISC, Release Notes)

Frequently asked questions

What is CVE-2026-41139?: CVE-2026-41139 is a high-severity vulnerability in Josdejong Mathjs, classified under Improperly Controlled Modification of Dynamically-Determined Object Attributes. CVSS score: 8.8/10. Published 2026-05-07.
How severe is CVE-2026-41139?: High severity. CVSS v3 base score is 8.8 out of 10.