CVE-2026-40897: Unsafe object property setter in mathjs

April 16, 2026 (updated April 27, 2026)

This security vulnerability allowed executing arbitrary JavaScript via the expression parser of mathjs. You can be affected when you have an application where users can evaluate arbitrary expressions using the mathjs expression parser.

References

github.com/advisories/GHSA-29qv-4j9f-fjw5
github.com/josdejong/mathjs
github.com/josdejong/mathjs/commit/513ab2a0e01004af91b31aada68fae8a821326ad
github.com/josdejong/mathjs/pull/3656
github.com/josdejong/mathjs/security/advisories/GHSA-29qv-4j9f-fjw5
nvd.nist.gov/vuln/detail/CVE-2026-40897

Code Behaviors & Features

Detect and mitigate CVE-2026-40897 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →