Home > Vulnerability Database > CVE-2026-23736

Mend.io Vulnerability Database

CVE-2026-23736

Good to know:

Date: January 21, 2026

seroval facilitates JS value stringification, including complex structures beyond JSON.stringify capabilities. In versions 1.4.0 and below, due to improper input validation, a malicious object key can lead to prototype pollution during JSON deserialization. This vulnerability affects only JSON deserialization functionality. This issue is fixed in version 1.4.1.

Severity Score

7.3

Related Resources (5)

Url: https://github.com/lxsmnsyc/seroval

Url: https://nvd.nist.gov/vuln/detail/CVE-2026-23736

Url: https://github.com/lxsmnsyc/seroval/security/advisories/GHSA-hj76-42vx-jwp4

Url: https://github.com/lxsmnsyc/seroval/commit/ce9408ebc87312fcad345a73c172212f2a798060

Url: https://www.mend.io/vulnerability-database/CVE-2026-23736

Severity Score

7.3

Weakness Type (CWE)

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

CWE-1321

Top Fix

Upgrade Version

Upgrade to version seroval - 1.4.1

Learn More

CVSS v3.1

Base Score:	7.3
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	LOW
Availability (A):	LOW

Mend.io Vulnerability Database

We found results for “”

CVE-2026-23736

Good to know:

Date: January 21, 2026

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?