What is the CVSS score of CVE-2026-40897?

CVE-2026-40897 has a CVSS 3.1 base score of 8.8 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.1%.

Is there a public PoC exploit available for CVE-2026-40897?

Yes, a public proof-of-concept exploit is available for CVE-2026-40897. Prioritise patching immediately. EPSS: 0.1%.

Is there a patch available for CVE-2026-40897?

Yes, a patch is available for CVE-2026-40897. Update the affected software to the latest version immediately.

Red Hat CVE-2026-40897

HIGH

Improperly Controlled Modification of Dynamically-Determined Object Attributes (CWE-915)

2026-04-16 https://github.com/josdejong/mathjs

GHSA-29qv-4j9f-fjw5

Information Disclosure Red Hat

8.8

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

8.8 HIGH

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Red Hat

8.8 HIGH

qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

PoC Detected

Apr 27, 2026 - 14:47 vuln.today

Public exploit code

Patch released

Apr 16, 2026 - 22:45 nvd

Patch available

CVE Published

Apr 16, 2026 - 22:38 nvd

HIGH 8.8

Blast Radius

ecosystem impact

† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth

24 npm packages depend on mathjs (5 direct, 20 indirect)

Ecosystem-wide dependent count for version 13.1.1.

DescriptionGitHub Advisory

Impact

This security vulnerability allowed executing arbitrary JavaScript via the expression parser of mathjs. You can be affected when you have an application where users can evaluate arbitrary expressions using the mathjs expression parser.

Patches

The issue was introduced in mathjs v13.1.1, and patched in mathjs v15.2.0.

Workarounds

There is no workaround without upgrading to v15.2.0.

References

You can find out more via the commit fixing this issue: https://github.com/josdejong/mathjs/commit/513ab2a0e01004af91b31aada68fae8a821326ad (part of PR https://github.com/josdejong/mathjs/pull/3656).

Analysis

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

CVE-2026-40897 vulnerability details – vuln.today

Back

Red Hat CVE-2026-40897

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

Blast Radius

DescriptionGitHub Advisory

Impact

Patches

Workarounds

References

Analysis

Unlock full vulnerability intelligence

Vendor StatusVendor

Share

External POC / Exploit Code