CVE-2026-23736 – CVE-2026-23736 is a prototype pollution vulnera... (How to Fix)

Q: What is the severity of CVE-2026-23736?

CVE-2026-23736 has a CVSS score of 7.3 (HIGH). CVE-2026-23736 is a prototype pollution vulnerability in seroval's JSON deserialization functionality that allows attackers to modify JavaScript object prototypes by crafting malicious object keys. This affects applications using seroval versions 1.4.0 and below for JSON deserialization. Successful exploitation could lead to denial of service, data corruption, or potentially remote code execution depending on the application context.

📋 TL;DR

CVE-2026-23736 is a prototype pollution vulnerability in seroval's JSON deserialization functionality that allows attackers to modify JavaScript object prototypes by crafting malicious object keys. This affects applications using seroval versions 1.4.0 and below for JSON deserialization. Successful exploitation could lead to denial of service, data corruption, or potentially remote code execution depending on the application context.

💻 Affected Systems

Products:

seroval

Versions: 1.4.0 and below

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects JSON deserialization functionality; serialization is not vulnerable.

📦 What is this software?

Seroval by Lxsmnsyc

View all CVEs affecting Seroval →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution through prototype pollution leading to complete system compromise, data theft, or service disruption.

🟠

Likely Case

Denial of service, application crashes, or data corruption through prototype pollution affecting application stability.

🟢

If Mitigated

Limited impact with proper input validation and sandboxing, potentially causing only minor application errors.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Proof of concept available in GitHub advisory; exploitation requires attacker to control JSON input to deserialization.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.4.1

Vendor Advisory: https://github.com/lxsmnsyc/seroval/security/advisories/GHSA-hj76-42vx-jwp4

Restart Required: No

Instructions:

1. Update seroval package to version 1.4.1 or higher. 2. For npm: 'npm update seroval'. 3. For yarn: 'yarn upgrade seroval'. 4. Verify update with 'npm list seroval' or 'yarn list seroval'.

🔧 Temporary Workarounds

Input validation wrapper

all

Implement custom input validation before passing data to seroval deserialization

// JavaScript example: Validate object keys before deserialization
function safeDeserialize(input) {
  // Add key validation logic here
  return seroval.deserialize(input);
}

🧯 If You Can't Patch

Disable or restrict JSON deserialization functionality in seroval
Implement strict input validation and sanitization for all JSON inputs

🔍 How to Verify

Check if Vulnerable:

Check package.json or lock file for seroval version <=1.4.0

Check Version:

npm list seroval | grep seroval || yarn list seroval | grep seroval

Verify Fix Applied:

Verify seroval version is >=1.4.1 using package manager commands

📡 Detection & Monitoring

Log Indicators:

Unusual JSON parsing errors
Application crashes during deserialization
Unexpected prototype modifications

Network Indicators:

Malformed JSON payloads with unusual object keys
Requests containing __proto__ or constructor properties

SIEM Query:

source="application_logs" AND ("seroval" OR "deserialize") AND ("error" OR "crash" OR "prototype")

📊 Metadata

CVE ID: CVE-2026-23736

CVSS v3 Score: 7.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-1321

EPSS Score: 0.05% exploit probability (14.3th percentile)

Published: January 21, 2026

Last Updated: February 27, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-23736, you might also want to check these: