Skip to main content

Mondoo Vulnerability Intelligence

Curated by Mondoo Research, enhanced with AI

Resources

Search Vulnerabilities
Trending CVEs
Browse Ecosystems
Terminology
Blog

Open Source

cnquery
cnspec

Star us on GitHub!

Company

Mondoo Platform
About
Contact

© 2026 Mondoo, Inc.

Privacy Policy Terms of Service Imprint

Vulnerability Intelligence

Vulnerability IntelligenceCVE-2026-23736

CVE-2026-23736

HIGH7.3

seroval Affected by Prototype Pollution via JSON Deserialization

Published Jan 21, 2026

Modified 1 months ago

Details

seroval facilitates JS value stringification, including complex structures beyond JSON.stringify capabilities. In versions 1.4.0 and below, due to improper input validation, a malicious object key can lead to prototype pollution during JSON deserialization. This vulnerability affects only JSON deserialization functionality. This issue is fixed in version 1.4.1.

References

https://github.com/lxsmnsyc/seroval/commit/ce9408ebc87312fcad345a73c172212f2a798060

https://github.com/lxsmnsyc/seroval/security/advisories/GHSA-hj76-42vx-jwp4

https://www.cve.org/CVERecord?id=CVE-2026-23736

CVSS Analysis

CVSS v3.1

7.3

Exploitability

Attack Vector

NetworkAV:N

Attack Complexity

LowAC:L

Privileges Required

NonePR:N

User Interaction

NoneUI:N

Scope

Scope

UnchangedS:U

Impact

Confidentiality

LowC:L

Integrity

LowI:L

Availability

LowA:L

7.3/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Weakness Type (CWE)

Input Validation

Prototype Pollution

Ecosystems

Timeline

PublishedJan 21, 2026

ModifiedJan 22, 2026

CVE-2026-23736 | Mondoo Vulnerability Intelligence