CVE-2026-23737
Arbitrary Code Execution in seroval JSON Deserialization
Publication date: 2026-01-21
Last updated on: 2026-02-27
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| lxsmnsyc | seroval | to 1.4.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-502 | The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in seroval versions 1.4.0 and below, where improper input handling in the JSON deserialization component can lead to arbitrary JavaScript code execution. Specifically, exploitation is possible by overriding constant value and error deserialization, which allows indirect access to unsafe JavaScript evaluation. The affected functions are fromJSON and fromCrossJSON in a client-to-server transmission scenario. Attackers need to perform at least 4 separate requests on the same function and have partial knowledge of how the serialized data is used during runtime.
How can this vulnerability impact me? :
This vulnerability can lead to arbitrary JavaScript code execution on the server side, which can compromise confidentiality, integrity, and availability of the affected system. An attacker could execute malicious code remotely, potentially leading to data breaches, unauthorized access, or disruption of services.
What immediate steps should I take to mitigate this vulnerability?
Upgrade seroval to version 1.4.0 or later, as this version contains the fix for the vulnerability. Additionally, restrict the ability of attackers to perform multiple requests on the same function and limit exposure of serialized data handling during runtime processing.