High severity8.8NVD Advisory· Published Apr 24, 2026· Updated Apr 27, 2026
CVE-2026-40897
CVE-2026-40897
Description
Math.js is an extensive math library for JavaScript and Node.js. From 13.1.1 to before 15.2.0, a vulnerability allowed executing arbitrary JavaScript via the expression parser of mathjs. You can be affected when you have an application where users can evaluate arbitrary expressions using the mathjs expression parser. This vulnerability is fixed in 15.2.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
mathjsnpm | >= 13.1.1, < 15.2.0 | 15.2.0 |
Affected products
3- osv-coords2 versions
< 0.8.4-r5+ 1 more
- (no CPE)range: < 0.8.4-r5
- (no CPE)range: >= 13.1.1, < 15.2.0
Patches
Vulnerability mechanics
References
5- github.com/josdejong/mathjs/commit/513ab2a0e01004af91b31aada68fae8a821326adnvdPatchWEB
- github.com/advisories/GHSA-29qv-4j9f-fjw5ghsaADVISORY
- github.com/josdejong/mathjs/security/advisories/GHSA-29qv-4j9f-fjw5nvdVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-40897ghsaADVISORY
- github.com/josdejong/mathjs/pull/3656nvdIssue TrackingWEB
News mentions
0No linked articles in our index yet.