CVE-2026-41507

Name of the Vulnerable Software and Affected Versions math-codegen versions prior to 0.4.3

Description String literal content passed to the cg.parse() function is injected verbatim into a new Function() body without sanitization. This allows an attacker to execute arbitrary system commands when user-controlled input reaches the parser. Applications exposing a math evaluation endpoint where user input flows into cg.parse() are susceptible to remote code execution (RCE), which is the ability to execute malicious code on a remote machine.

Recommendations Update to version 0.4.3 or later. Avoid passing un-sanitized user input to the parser or manually escape string literals in the input.