Skip to main content

Expr Eval

1 CVEs product

Monthly

CVE-2026-12866 CRITICAL Act Now

Arbitrary JavaScript code execution in the expr-eval npm package affects all released versions when applications pass user-controlled expressions to the toJSFunction() API, which compiles them via new Function() and executes them in the host process context. Snyk discloses no public exploit identified at time of analysis, but the trivial attack pattern (sandbox escape via crafted math expressions) and CVSS 4.0 score of 9.2 make this a high-priority issue for any Node.js or browser application that exposes expr-eval to untrusted input.

RCE Code Injection Expr Eval
NVD GitHub VulDB
CVSS 4.0
9.2
EPSS
0.5%
EPSS 0% CVSS 9.2
CRITICAL Act Now

Arbitrary JavaScript code execution in the expr-eval npm package affects all released versions when applications pass user-controlled expressions to the toJSFunction() API, which compiles them via new Function() and executes them in the host process context. Snyk discloses no public exploit identified at time of analysis, but the trivial attack pattern (sandbox escape via crafted math expressions) and CVSS 4.0 score of 9.2 make this a high-priority issue for any Node.js or browser application that exposes expr-eval to untrusted input.

RCE Code Injection Expr Eval
NVD GitHub VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy