JavaScript is a high-level, interpreted programming language essential for creating interactive web applications, running directly in web browsers to enable dynamic content and user interface enhancements. It is integral to the web development stack, working seamlessly with HTML and CSS to build responsive and feature-rich websites.

JavaScript

### Impact
String literal content passed to `cg.parse()` is injected verbatim into a `new Function()` body without sanitization. This allows an attacker to execute arbitrary system commands when user-controlled input reaches the parser. Any application exposing a math evaluation endpoint where user input flows into `cg.parse()` is vulnerable to full RCE.
    
### Patches
The vulnerability is addressed by using `JSON.stringify()` on string literal values in `lib/node/ConstantNode.js` to ensure they are treated as data rather than code. Users should upgrade to version 0.4.3 or later.
    
### Workarounds
Avoid passing un-sanitized user input to the parser or manually escape string literals in the input.

CVE ID	Severity	Score	Technologies	Component name	CISA KEV exploit	Has fix	Published date
GHSA-p6x5-p4xf-cc4r	CRITICAL	9.8	JavaScript	math-codegen	No	Yes	Apr 17, 2026
CVE-2026-41242	CRITICAL	9.4	JavaScript	protobufjs	No	Yes	Apr 18, 2026
GHSA-v38x-c887-992f	CRITICAL	9.2	JavaScript	flowise	No	Yes	Apr 18, 2026
CVE-2026-40931	HIGH	8.4	JavaScript	compressing	No	Yes	Apr 17, 2026
CVE-2026-40346	MEDIUM	6.4	JavaScript	@nocobase/plugin-workflow-request	No	Yes	Apr 18, 2026

GHSA-p6x5-p4xf-cc4r:
JavaScript vulnerability analysis and mitigation

Impact

Patches

Workarounds

9.8

Related JavaScript vulnerabilities:

Benchmark your Cloud Security Posture

Additional Wiz resources

Cloud Vulnerability DB

Cloud Threat Landscape

PEACH

Ready to see Wiz in action?

GHSA-p6x5-p4xf-cc4r: JavaScript vulnerability analysis and mitigation