Home / Vulnerability Intelligence / CVE-2026-41507

CVE-2026-41507 - Vulnerability Analysis

CriticalCVSS: 9.8

Last Updated: May 8, 2026

math-codegen - Remote Code Execution

Published: May 8, 2026Updated: May 8, 2026Remote Exploitable

Overview

math-codegen < 0.4.3 contains a command injection caused by unsanitized string literals passed to cg.parse(), letting attackers execute arbitrary system commands remotely, exploit requires user input to reach the parser.

Severity & Score

Severity: Critical

CVSS Score: 9.8

Impact

Attackers can execute arbitrary system commands remotely, leading to full remote code execution.

Mitigation

Update to version 0.4.3 or later.

References

https://github.com/mauriciopoppe/math-codegen/pull/11
https://github.com/mauriciopoppe/math-codegen/security/advisories/GHSA-p6x5-p4xf-cc4r
https://github.com/mauriciopoppe/math-codegen/commit/4bb52d3030683362b3559ee8dd91350555a05f6b

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-41507
Severity: Critical
CVSS Score: 9.8
Type: command_injection
Status: unconfirmed

CWE

CWE-94

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H