Description
This security vulnerability allowed executing arbitrary JavaScript via the expression parser of mathjs. You can be affected when you have an application where users can evaluate arbitrary expressions using the mathjs expression parser.
Recommendation
Update the mathjs package to the latest compatible version. Followings are version details:
- Affected version(s): >= 13.1.1, < 15.2.0
- Patched version(s): 15.2.0
References
Related Issues
- mathjs Allows Improperly Controlled Modification of Dynamically-Determined Object Attributes - CVE-2026-41139
- Maker.js has Unsafe Property Copying in makerjs.extendObject - CVE-2026-24888
- Cloudflare Agents SDK has Insecure Direct Object Reference (IDOR) via Header-Based Email Routing - CVE-2026-1664
- ApostropheCMS: Stored XSS via CSS Custom Property Injection in @apostrophecms/color-field Escaping Style Tag Context - CVE-2026-33889
You might also like:
- Tags:
- npm
- mathjs
Anything's wrong? Let us know Last updated on April 28, 2026