CVE-2026-41507 - Vulnerability Details

- Remote Code Execution (RCE) via String Literal Injection into math-codegen

Description

math-codegen generates code from mathematical expressions. Prior to version 0.4.3, string literal content passed to cg.parse() is injected verbatim into a new Function() body without sanitization. This allows an attacker to execute arbitrary system commands when user-controlled input reaches the parser. Any application exposing a math evaluation endpoint where user input flows into cg.parse() is vulnerable to full RCE. This issue has been patched in version 0.4.3.

Published: 2026-05-08

Score: 9.8 Critical

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability exists in math‑codegen, a library that translates mathematical expressions into executable code. Prior to version 0.4.3 the library concatenates the string literal content passed to cg.parse() directly into the body of a new Function() without sanitization. This omission permits an attacker to inject arbitrary code through user‑controlled expressions, causing the Function to execute system commands on the host. The flaw is a classic code injection leading to full Remote Code Execution, as reflected in the high CVSS score of 9.8.

Affected Systems

Affected systems are any installations of math‑codegen before 0.4.3. Applications that expose a math evaluation endpoint and forward user input to cg.parse() are vulnerable. The vendor product is mauriciopoppe math‑codegen; the vulnerable range is all releases prior to 0.4.3, with the patch applied in 0.4.3.

Risk and Exploitability

The risk is high due to the high CVSS; no EPSS value is published, but the severity suggests a strong likelihood of exploitation in the wild. The flaw is not listed in CISA KEV, which indicates no known active exploitation yet, but the attack path is straightforward: an attacker supplies a crafted mathematical expression that contains JavaScript code, the library injects it into a Function, and the host executes the code. Therefore, any system that uses the vulnerable library without input validation is at risk of arbitrary command execution.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

mauriciopoppe

math-codegen

affected

Version	Status	Constraints
`< 0.4.3`	affected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade math‑codegen to version 0.4.3 or later.
Validate or sanitize all user‑controlled mathematical expressions before passing them to cg.parse(); if the library does not provide proper checks, avoid using it or replace it with a safer evaluator.
If an immediate upgrade is not possible, run the math‑codegen component in a sandboxed or restricted environment, such as a separate service with minimal privileges, and do not execute untrusted expressions directly.

Generated by OpenCVE AI on May 8, 2026 at 16:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-p6x5-p4xf-cc4r	Remote Code Execution (RCE) via String Literal Injection into math-codegen

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00045.

Exploitation none

Automatable yes

Technical Impact total

References

Link	Providers
https://github.com/mauriciopoppe/math-codegen/commit/4bb52d3030683362b3559ee8dd91350555a05f6b
https://github.com/mauriciopoppe/math-codegen/pull/11
https://github.com/mauriciopoppe/math-codegen/security/advisories/GHSA-p6x5-p4xf-cc4r

History

Fri, 08 May 2026 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Fri, 08 May 2026 14:00:00 +0000

Type	Values Removed	Values Added
Description		math-codegen generates code from mathematical expressions. Prior to version 0.4.3, string literal content passed to cg.parse() is injected verbatim into a new Function() body without sanitization. This allows an attacker to execute arbitrary system commands when user-controlled input reaches the parser. Any application exposing a math evaluation endpoint where user input flows into cg.parse() is vulnerable to full RCE. This issue has been patched in version 0.4.3.
Title		Remote Code Execution (RCE) via String Literal Injection into math-codegen
Weaknesses		CWE-94
References		https://github.com/mauriciopoppe/math-codegen/commit/4bb52d3030683362b3559ee8dd91350555a05f6b https://github.com/mauriciopoppe/math-codegen/pull/11 https://github.com/mauriciopoppe/math-codegen/security/advisories/GHSA-p6x5-p4xf-cc4r
Metrics		cvssV3_1 `{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-05-08T13:49:34.091Z

Updated: 2026-05-08T14:20:21.285Z

Reserved: 2026-04-20T18:18:50.681Z

Link: CVE-2026-41507

Vulnrichment

Updated: 2026-05-08T14:20:17.825Z

NVD

Status : Awaiting Analysis

Published: 2026-05-08T14:16:34.133

Modified: 2026-05-08T16:02:14.343

Link: CVE-2026-41507

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-08T16:30:12Z

Weaknesses

CWE-94

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object