Math.js Arbitrary Code Execution via Expression Parser (CVE-2026-41139)
The National Vulnerability Database has disclosed CVE-2026-41139, a high-severity vulnerability (CVSS 8.8) in Math.js, an extensive math library for JavaScript and Node.js. This flaw allows for arbitrary JavaScript execution through the library’s expression parser.
Specifically, Math.js versions from 13.1.0 up to, but not including, 15.2.0 are affected. An attacker could exploit this by injecting malicious expressions, leading to remote code execution within applications that integrate the library. This is a critical issue for any application relying on Math.js for user-supplied or untrusted input parsing.
Defenders need to recognize that client-side libraries often get less scrutiny than server-side components, but their exploitation can be just as devastating. A successful attack here could compromise user data, escalate privileges, or even lead to full system takeover depending on the context of the application and the privileges of the executing process. The issue has been patched in version 15.2.0, making an upgrade imperative.
What This Means For You
- If your development teams are using Math.js, you need to check immediately which version is deployed. Any version between 13.1.0 and 15.2.0 is vulnerable to CVE-2026-41139. Prioritize upgrading to Math.js version 15.2.0 or newer to prevent arbitrary code execution via expression parsing.
Related ATT&CK Techniques
🛡️ Detection Rules
2 rules · 6 SIEM formats2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-41139 - Math.js Arbitrary Code Execution via Expression Parser
title: CVE-2026-41139 - Math.js Arbitrary Code Execution via Expression Parser
id: scw-2026-05-07-ai-1
status: experimental
level: critical
description: |
Detects attempts to exploit CVE-2026-41139 by looking for specific function calls ('math.evaluate' or 'math.parse') within the web server's URI query string. This indicates an attempt to leverage the vulnerable expression parser in Math.js versions prior to 15.2.0 to execute arbitrary code.
author: SCW Feed Engine (AI-generated)
date: 2026-05-07
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-41139/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-uri-query|contains:
- 'math.evaluate('
- 'math.parse('
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-41139 | RCE | mathjs library versions >= 13.1.0 and < 15.2.0 |
| CVE-2026-41139 | Code Injection | mathjs library expression parser |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 07, 2026 at 09:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-8063 — Null Pointer Dereference
CVE-2026-8063 — An authenticated user can crash mongod when running $rankFusion or $scoreFusion with an empty pipeline on a view. When resolving a view, the...
WP-Optimize Plugin Flaw Allows Arbitrary File Deletion, RCE via wp-config.php
CVE-2026-7252 — The WP-Optimize – Cache, Compress images, Minify & Clean database to boost page speed & performance plugin for WordPress is vulnerable to arbitrary...
CVE-2026-6692: WordPress Slider Revolution RCE Vulnerability
CVE-2026-6692 — The Slider Revolution plugin for WordPress is vulnerable to Arbitrary File Upload in versions 7.0.0 to 7.0.10 via the '_get_media_url' and '_check_file_path' function....