CVE-2026-41507 CRITICAL

CVE-2026-41507: Remote Code Execution (RCE) via String Literal Injection into math-codegen

Vendor Mauriciopoppe
Product math-codegen
Weakness CWE-94 · Code injection
Published May 8, 2026
Last update May 8, 2026

CVSS base score

9.8/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

math-codegen generates code from mathematical expressions. Prior to version 0.4.3, string literal content passed to cg.parse() is injected verbatim into a new Function() body without sanitization. This allows an attacker to execute arbitrary system commands when user-controlled input reaches the parser. Any application exposing a math evaluation endpoint where user input flows into cg.parse() is vulnerable to full RCE. This issue has been patched in version 0.4.3.

Key dates

02Disclosure timeline

May 8, 2026 CVE published
May 8, 2026 Record updated