CVE-2026-40897

High

Published: 24 April 2026

Published

24 April 2026

Modified

27 April 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0013 31.2th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-40897 is a high-severity Improperly Controlled Modification of Dynamically-Determined Object Attributes (CWE-915) vulnerability in Mathjs Mathjs. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 31.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates the vulnerability by requiring timely patching of the mathjs library to version 15.2.0 or later, eliminating the arbitrary JavaScript execution flaw in the expression parser.

SI-10 Information Input Validation good match

prevent

Prevents exploitation by enforcing validation and sanitization of user-supplied expressions to block injection of arbitrary JavaScript into the mathjs parser.

RA-5 Vulnerability Monitoring and Scanning partial match

detect

Identifies the presence of CVE-2026-40897 in mathjs through vulnerability scanning, enabling proactive remediation.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.007 JavaScript Execution

Adversaries may abuse various implementations of JavaScript for execution.

attack.mitre.org →

Why these techniques?

Vulnerability enables arbitrary JavaScript code execution in application context via malicious expressions to the parser, directly facilitating T1190 (exploiting network-accessible apps) and T1059.007 (JavaScript interpreter abuse).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Math.js is an extensive math library for JavaScript and Node.js. From 13.1.1 to before 15.2.0, a vulnerability allowed executing arbitrary JavaScript via the expression parser of mathjs. You can be affected when you have an application where users can evaluate…

arbitrary expressions using the mathjs expression parser. This vulnerability is fixed in 15.2.0.

Deeper analysisAI

CVE-2026-40897 is a vulnerability in the Math.js library (mathjs), an extensive math library for JavaScript and Node.js. It affects versions from 13.1.1 to before 15.2.0 and stems from the expression parser, which allows execution of arbitrary JavaScript code. Applications are vulnerable if they permit users to evaluate arbitrary expressions using the mathjs parser. The issue is classified as CWE-915 (Improperly Controlled Modification of Dynamically-Determined Expression Evaluators) with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

An attacker requires low privileges, such as those of an authenticated user, to exploit this over the network with low complexity and no user interaction. By submitting a malicious expression to the parser, they can execute arbitrary JavaScript in the application's context, potentially leading to high impacts on confidentiality, integrity, and availability, such as data theft, modification, or denial of service.

The vulnerability is addressed in mathjs version 15.2.0. Mitigation involves updating to this version or later. Details are available in the GitHub security advisory (GHSA-29qv-4j9f-fjw5), pull request #3656, and fixing commit 513ab2a0e01004af91b31aada68fae8a821326ad.