Part of Lyceum Intelligence — deep-research In Focus reports → · Lyceum Corpus — ask the documents →

Full-text search across 381 articles. Typo-tolerant.

Lyceum News Desk ·

CVE-2026-41507 -- CVSS 9.8 Vulnerability Briefing

CVE-2026-41507 | CVSS 9.8 (Critical) | Exploit: No known exploit

What Is It

CVE-2026-41507 is a code injection vulnerability in Mauriciopoppe's Math-Codegen library, a JavaScript package that generates executable code from mathematical expressions, affecting all versions prior to 0.4.3.

Technical Detail

The flaw exists in the cg.parse() function, which accepts string literal content and injects it verbatim into a new Function() constructor body without any sanitization or validation. An attacker who can control or influence the input passed to cg.parse() can embed arbitrary JavaScript into the dynamically constructed function, resulting in remote code execution within the context of the Node.js process. The severity is rated Critical at CVSS 9.8, reflecting the low complexity of exploitation and the potential for full process-level code execution with no authentication required if the parsing function is exposed to untrusted input.

Exploitation Status

No known exploit has been publicly documented or observed at this time. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog. Exploit maturity is currently assessed as none, though the straightforward nature of the injection primitive means a functional exploit would require minimal development effort by a capable actor.

Who Is Targeting This

No specific threat actor attribution at this time. No campaigns or targeted sectors have been identified in connection with this vulnerability.

What To Do

Upgrade Math-Codegen to version 0.4.3 or later immediately, as this is the only confirmed remediation. Organizations should audit any application or service that passes user-controlled or externally sourced input to cg.parse() and treat such code paths as high-priority attack surface. If an immediate upgrade is not feasible, restrict all input to cg.parse() to trusted, internally defined mathematical expressions and block any user-supplied string content from reaching that function. Dependency scanning tools should be updated to flag versions below 0.4.3 in software bills of materials and CI/CD pipelines.

In Focus
All analysis →

Deep-research intelligence reports from Lyceum Intelligence — structured assessments with sourced claims and calibrated conclusions.

Browse Intelligence Reports →