CVE-2026-40897

EPSS 0.45%
Veröffentlicht 24.04.2026 16:48:34
Zuletzt bearbeitet 27.04.2026 14:47:56
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Math.js: Unsafe object property setter in mathjs

Math.js is an extensive math library for JavaScript and Node.js. From 13.1.1 to before 15.2.0, a vulnerability allowed executing arbitrary JavaScript via the expression parser of mathjs. You can be affected when you have an application where users can evaluate arbitrary expressions using the mathjs expression parser. This vulnerability is fixed in 15.2.0.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 6

NVD 1 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Mathjs ≫ Mathjs SwPlatformnode.js Version >= 13.1.1 < 15.2.0

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.45%	0.357

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE-915 Improperly Controlled Modification of Dynamically-Determined Object Attributes

The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified.

https://github.com/josdejong/mathjs/security/advisories/GHSA-29qv-4j9f-fjw5

Vendor Advisory

https://github.com/josdejong/mathjs/pull/3656

Issue Tracking

https://github.com/josdejong/mathjs/commit/513ab2a0e01004af91b31aada68fae8a821326ad

Patch

https://nvd.nist.gov/vuln/detail/CVE-2026-40897

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-40897

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-40897

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-40897