Remote Code Execution (RCE) via String Literal Injection into math-codegen — CVE-2026-41507
GitHub · GitHub · CVE-2026-41507
ID
CVE-2026-41507
CVE-2026-41507
Date
Updated
Activity
Source
GitHub
GitHub
Vendor
GitHub
GitHub
Threat
critical
critical
CVSS
9.8
9.8
EPSS
0.00045
0.00045
Summary
### Impact String literal content passed to `cg.parse()` is injected verbatim into a `new Function()` body without sanitization. This allows an attacker to execute arbitrary system commands when user-controlled input reaches the parser. Any application exposing a math evaluation endpoint where user input flows into `cg.parse()` is vulnerable to full RCE. ### Patches The vulnerability is addressed by using…
Product
npm: math-codegen
What to do
General, cautious steps (verify details in the official source):
- Prioritize patching or mitigation immediately (treat as actively risky).
- Identify affected product versions in your inventory and verify whether you are impacted.
- Apply vendor patches/updates or recommended mitigations as soon as available.
- Read the official advisory for exact affected versions and remediation steps.