CVE-2026-23736
Prototype Pollution in seroval JSON Deserialization Prior to
Publication date: 2026-01-21
Last updated on: 2026-02-27
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| lxsmnsyc | seroval | to 1.4.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1321 | The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in seroval versions 1.4.0 and below, where improper input validation allows a malicious object key to cause prototype pollution during JSON deserialization. Prototype pollution can alter the behavior of JavaScript objects by modifying their prototype chain, potentially leading to unexpected behavior or security issues. The vulnerability affects only the JSON deserialization functionality and is fixed in version 1.4.1.
How can this vulnerability impact me? :
The vulnerability can lead to prototype pollution, which may allow an attacker to manipulate the behavior of JavaScript objects during JSON deserialization. This can result in data corruption, unauthorized access, or other security impacts such as confidentiality, integrity, and availability loss, as indicated by the CVSS score.
What immediate steps should I take to mitigate this vulnerability?
Upgrade seroval to version 1.4.1 or later, as this version contains the fix for the prototype pollution vulnerability during JSON deserialization.