{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23736", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-15T15:45:01.957Z", "datePublished": "2026-01-21T23:01:10.114Z", "dateUpdated": "2026-01-22T14:45:53.950Z"}, "containers": {"cna": {"title": "seroval Affected by Prototype Pollution via JSON Deserialization", "problemTypes": [{"descriptions": [{"cweId": "CWE-1321", "lang": "en", "description": "CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/lxsmnsyc/seroval/security/advisories/GHSA-hj76-42vx-jwp4", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/lxsmnsyc/seroval/security/advisories/GHSA-hj76-42vx-jwp4"}, {"name": "https://github.com/lxsmnsyc/seroval/commit/ce9408ebc87312fcad345a73c172212f2a798060", "tags": ["x_refsource_MISC"], "url": "https://github.com/lxsmnsyc/seroval/commit/ce9408ebc87312fcad345a73c172212f2a798060"}], "affected": [{"vendor": "lxsmnsyc", "product": "seroval", "versions": [{"version": "< 1.4.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-21T23:01:45.857Z"}, "descriptions": [{"lang": "en", "value": "seroval facilitates JS value stringification, including complex structures beyond JSON.stringify capabilities. In versions 1.4.0 and below, due to improper input validation, a malicious object key can lead to prototype pollution during JSON deserialization. This vulnerability affects only JSON deserialization functionality. This issue is fixed in version 1.4.1."}], "source": {"advisory": "GHSA-hj76-42vx-jwp4", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-22T14:45:46.259826Z", "id": "CVE-2026-23736", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-22T14:45:53.950Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-23736", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-22T14:45:46.259826Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-22T14:45:51.268Z"}}], "cna": {"title": "seroval Affected by Prototype Pollution via JSON Deserialization", "source": {"advisory": "GHSA-hj76-42vx-jwp4", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.3, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "lxsmnsyc", "product": "seroval", "versions": [{"status": "affected", "version": "< 1.4.1"}]}], "references": [{"url": "https://github.com/lxsmnsyc/seroval/security/advisories/GHSA-hj76-42vx-jwp4", "name": "https://github.com/lxsmnsyc/seroval/security/advisories/GHSA-hj76-42vx-jwp4", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/lxsmnsyc/seroval/commit/ce9408ebc87312fcad345a73c172212f2a798060", "name": "https://github.com/lxsmnsyc/seroval/commit/ce9408ebc87312fcad345a73c172212f2a798060", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "seroval facilitates JS value stringification, including complex structures beyond JSON.stringify capabilities. In versions 1.4.0 and below, due to improper input validation, a malicious object key can lead to prototype pollution during JSON deserialization. This vulnerability affects only JSON deserialization functionality. This issue is fixed in version 1.4.1."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1321", "description": "CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-21T23:01:45.857Z"}}}, "cveMetadata": {"cveId": "CVE-2026-23736", "state": "PUBLISHED", "dateUpdated": "2026-01-22T14:45:53.950Z", "dateReserved": "2026-01-15T15:45:01.957Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-01-21T23:01:10.114Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:lxsmnsyc:seroval:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "85760E40-9AB1-40EB-98A1-D1A4411AAFC5", "versionEndExcluding": "1.4.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "seroval facilitates JS value stringification, including complex structures beyond JSON.stringify capabilities. In versions 1.4.0 and below, due to improper input validation, a malicious object key can lead to prototype pollution during JSON deserialization. This vulnerability affects only JSON deserialization functionality. This issue is fixed in version 1.4.1."}], "id": "CVE-2026-23736", "lastModified": "2026-02-27T19:36:50.543", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.4, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-01-21T23:15:52.340", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/lxsmnsyc/seroval/commit/ce9408ebc87312fcad345a73c172212f2a798060"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/lxsmnsyc/seroval/security/advisories/GHSA-hj76-42vx-jwp4"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1321"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "seroval: seroval: Prototype pollution via improper input validation during JSON deserialization", "id": "2431898", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2431898"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "status": "draft"}, "cwe": "CWE-1321", "details": ["No description is available for this CVE."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}, "name": "CVE-2026-23736", "public_date": "2026-01-21T23:01:10Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23736\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23736\nhttps://github.com/lxsmnsyc/seroval/commit/ce9408ebc87312fcad345a73c172212f2a798060\nhttps://github.com/lxsmnsyc/seroval/security/advisories/GHSA-hj76-42vx-jwp4"], "statement": "This vulnerability is rated Important for Red Hat as it affects the `seroval` library, which is utilized in `forgejo` within Fedora and EPEL. The flaw allows for prototype pollution during JSON deserialization due to improper input validation in versions 1.4.0 and below. Exploitation requires processing of malicious JSON input.", "threat_severity": "Important"}

{"analysis": {"en": {"generated_at": "2026-04-18T15:29:49.121677+00:00", "value": {"mitigation_remediation": ["Upgrade seroval to version 1.4.1 or later to apply the vendor fix.", "Validate JSON input against a schema that excludes prototype keys before calling deserialize.", "Audit your code to ensure the library is used only with trusted data and consider limiting its usage to protected contexts."], "summary": {"action": "Apply Patch", "impact": "Prototype Pollution via JSON Deserialization"}, "threat_synthesis": {"affected_systems": "The vulnerable versions of lxsmnsyc's seroval library (1.4.0 and earlier) are used in Node.js applications. All installations of seroval up to 1.4.0 are affected, while releases starting with 1.4.1 contain the patch.", "description_and_impact": "The flaw arises because seroval does not validate object keys during JSON deserialization. An attacker can supply a key that targets internal prototype properties, such as __proto__ or constructor, causing those properties to be overwritten on the Object prototype. This prototype pollution can alter the behavior of any subsequent code that runs in the same JavaScript process.", "risk_and_exploitability": "The CVSS score is 7.3, indicating a high impact, and the EPSS score is below 1%, suggesting that exploitation attempts are currently rare. The vulnerability is not listed in CISA's KEV catalog. Attackers can trigger the flaw by supplying crafted JSON to any code path that invokes seroval's deserialize function; privileged input is not required."}}}}, "created": "2026-01-22T10:08:46.321260+00:00", "updated": "2026-04-18T15:30:03.970928+00:00", "vendors": ["lxsmnsyc", "lxsmnsyc$PRODUCT$seroval"]}