CVE-2026-23736

High

Published: 21 January 2026

Published

21 January 2026

Modified

27 February 2026

KEV Added

—

Patch

—

CVSS Score 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

EPSS Score 0.0021 42.9th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Description

seroval facilitates JS value stringification, including complex structures beyond JSON.stringify capabilities. In versions 1.4.0 and below, due to improper input validation, a malicious object key can lead to prototype pollution during JSON deserialization. This vulnerability affects only JSON deserialization functionality.…

This issue is fixed in version 1.4.1.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly mandates proper validation of untrusted JSON inputs to block malicious object keys that cause prototype pollution during seroval deserialization.

SI-2 Flaw Remediation good match

prevent

Requires timely flaw remediation by upgrading vulnerable seroval versions 1.4.0 and below to the patched 1.4.1.

RA-5 Vulnerability Monitoring and Scanning good match

detect

Enables vulnerability scanning to identify and prioritize exploitation risks from known CVEs like CVE-2026-23736 in application dependencies.

Security SummaryAI

CVE-2026-23736 is a vulnerability in the seroval JavaScript library, which enables stringification of JavaScript values including complex structures beyond standard JSON.stringify capabilities. In versions 1.4.0 and below, improper input validation allows a malicious object key to cause prototype pollution during JSON deserialization. This issue is limited to the JSON deserialization functionality and is associated with CWE-1321. The vulnerability received a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) and was published on 2026-01-21.

A remote, unauthenticated attacker can exploit this vulnerability by supplying malicious input to an affected seroval JSON deserialization operation. Successful exploitation leads to prototype pollution, where the attacker can modify properties on Object.prototype, potentially enabling further attacks such as denial of service, information disclosure, or code execution depending on the application's use of polluted prototypes. The low complexity and lack of privileges required make it accessible to attackers targeting applications that process untrusted JSON inputs with vulnerable seroval versions.

The seroval security advisory (GHSA-hj76-42vx-jwp4) and corresponding commit (ce9408ebc87312fcad345a73c172212f2a798060) confirm the issue is fixed in version 1.4.1 through improved input validation. Security practitioners should upgrade to seroval 1.4.1 or later and review applications for unsafe deserialization of untrusted JSON inputs using this library.

Details

CWE(s): CWE-1321

Affected Products

lxsmnsyc

seroval

≤ 1.4.1

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1565.003 Runtime Data Manipulation Impact

Adversaries may modify systems in order to manipulate the data as it is accessed and displayed to an end user, thus threatening the integrity of the data.

attack.mitre.org →

Why these techniques?

CVE enables remote exploitation of public-facing applications via malicious JSON input (T1190) leading to prototype pollution, a form of runtime data manipulation (T1565.003).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/lxsmnsyc/seroval/commit/ce9408ebc87312fcad345a73c172212f2a798060
Patch · security-advisories@github.com
https://github.com/lxsmnsyc/seroval/security/advisories/GHSA-hj76-42vx-jwp4
Vendor Advisory · security-advisories@github.com