What is the CVSS score of CVE-2026-41507?

CVE-2026-41507 has a CVSS 3.1 base score of 9.8 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.0%.

Which versions of math-codegen are affected by CVE-2026-41507?

The math-codegen npm package (versions before 0.4.3) contains a critical remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary system commands through…. A patch is available.

math-codegen CVE-2026-41507

EUVD-2026-28597 CRITICAL

Code Injection (CWE-94)

2026-05-08 security-advisories@github.com

GHSA-p6x5-p4xf-cc4r

RCE Code Injection

9.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Source Code Evidence Fetched

May 08, 2026 - 14:32 vuln.today

Analysis Generated

May 08, 2026 - 14:32 vuln.today

CVE Published

May 08, 2026 - 14:16 nvd

CRITICAL 9.8

Blast Radius

ecosystem impact

† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth

15 npm packages depend on math-codegen (2 direct, 13 indirect)

Ecosystem-wide dependent count for version 0.4.3.

DescriptionNVD

math-codegen generates code from mathematical expressions. Prior to version 0.4.3, string literal content passed to cg.parse() is injected verbatim into a new Function() body without sanitization. This allows an attacker to execute arbitrary system commands when user-controlled input reaches the parser. Any application exposing a math evaluation endpoint where user input flows into cg.parse() is vulnerable to full RCE. This issue has been patched in version 0.4.3.

AnalysisAI

Remote code execution in math-codegen npm package versions prior to 0.4.3 allows unauthenticated attackers to execute arbitrary system commands via string literal injection into the cg.parse() function. The vulnerability stems from unsanitized string literals being injected directly into new Function() bodies, enabling full command execution on any application exposing math evaluation endpoints that process user input. …

RemediationAI

Within 24 hours: Inventory all applications and services using math-codegen npm package and identify current versions in use; isolate or disable any exposed math evaluation endpoints. Within 7 days: Upgrade math-codegen to version 0.4.3 or later across all affected applications and redeploy. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-41507 vulnerability details – vuln.today

Back

math-codegen CVE-2026-41507

CVSS VectorNVD

Lifecycle Timeline

Blast Radius

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code