CVE-2026-23737
HIGH
GHSA-3rxj-6cgf-8cfw
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3Tags
Description
seroval facilitates JS value stringification, including complex structures beyond JSON.stringify capabilities. In versions 1.4.0 and below, improper input handling in the JSON deserialization component can lead to arbitrary JavaScript code execution. Exploitation is possible via overriding constant value and error deserialization, allowing indirect access to unsafe JS evaluation. At minimum, attackers need the ability to perform 4 separate requests on the same function, and partial knowledge of how the serialized data is used during later runtime processing. This vulnerability affects the fromJSON and fromCrossJSON functions in a client-to-server transmission scenario. This issue has been fixed in version 1.4.0.
Analysis
Arbitrary code execution in Seroval versions 1.4.0 and below allows authenticated attackers to execute malicious JavaScript through improper deserialization handling in the fromJSON and fromCrossJSON functions. Exploitation requires multiple requests to the affected function and partial knowledge of runtime data usage, but grants full code execution capabilities. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 7 days: Identify all affected systems and apply vendor patches promptly. Restrict deserialization to trusted data sources and implement integrity checks.
Sign in for detailed remediation steps.
Priority Score
Vendor Status
Share
External POC / Exploit Code
Leaving vuln.today