CVE-2026-41507
CriticalSummary
math-codegen generates code from mathematical expressions. Prior to version 0.4.3, string literal content passed to cg.parse() was injected verbatim into a new Function() body without sanitization, allowing attackers to execute arbitrary system commands.
Risk Assessment
Applications exposing a math evaluation endpoint where user input flows into cg.parse() are vulnerable to full remote code execution (RCE). This could lead to serious security breaches within the organization.
Recommendation
It is recommended to upgrade to version 0.4.3 or later to mitigate this vulnerability. Additionally, implementing proper input sanitization mechanisms before processing user data is advisable.
Original NVD description (English source)
math-codegen generates code from mathematical expressions. Prior to version 0.4.3, string literal content passed to cg.parse() is injected verbatim into a new Function() body without sanitization. This allows an attacker to execute arbitrary system commands when user-controlled input reaches the parser. Any application exposing a math evaluation endpoint where user input flows into cg.parse() is vulnerable to full RCE. This issue has been patched in version 0.4.3.

