CVE-2026-23736

HIGH7.3EPSS 0.33%

seroval Affected by Prototype Pollution via JSON Deserialization

Published: 1/21/2026Modified: 2/3/2026

Description

Due to improper input validation, a malicious object key can lead to prototype pollution during JSON deserialization. This affects only JSON deserialization functionality. As there is no known workaround, please upgrade to the latest version.

Affected packages (1)

npm/serovalfrom 0, < 1.4.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

References (4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-23736
PATCHhttps://github.com/lxsmnsyc/seroval
WEBhttps://github.com/lxsmnsyc/seroval/commit/ce9408ebc87312fcad345a73c172212f2a798060
WEBhttps://github.com/lxsmnsyc/seroval/security/advisories/GHSA-hj76-42vx-jwp4