CVE-2026-41507
CVE-2026-41507 affects math-codegen. Prior to 0.4.3, string literals passed to cg.parse() are injected into a new Function() body without sanitization, enabling attacker-controlled input to execute arbitrary system commands and potentially achieve full RCE when user input reaches the parser. The ...