CVE-2026-23736
Published: 21 January 2026
Summary
CVE-2026-23736 is a high-severity Prototype Pollution (CWE-1321) vulnerability in Lxsmnsyc Seroval. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 42.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates proper validation of untrusted JSON inputs to block malicious object keys that cause prototype pollution during seroval deserialization.
Requires timely flaw remediation by upgrading vulnerable seroval versions 1.4.0 and below to the patched 1.4.1.
Enables vulnerability scanning to identify and prioritize exploitation risks from known CVEs like CVE-2026-23736 in application dependencies.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE enables remote exploitation of public-facing applications via malicious JSON input (T1190) leading to prototype pollution, a form of runtime data manipulation (T1565.003).
NVD Description
seroval facilitates JS value stringification, including complex structures beyond JSON.stringify capabilities. In versions 1.4.0 and below, due to improper input validation, a malicious object key can lead to prototype pollution during JSON deserialization. This vulnerability affects only JSON deserialization functionality.…
more
This issue is fixed in version 1.4.1.
Deeper analysisAI
CVE-2026-23736 is a vulnerability in the seroval JavaScript library, which enables stringification of JavaScript values including complex structures beyond standard JSON.stringify capabilities. In versions 1.4.0 and below, improper input validation allows a malicious object key to cause prototype pollution during JSON deserialization. This issue is limited to the JSON deserialization functionality and is associated with CWE-1321. The vulnerability received a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) and was published on 2026-01-21.
A remote, unauthenticated attacker can exploit this vulnerability by supplying malicious input to an affected seroval JSON deserialization operation. Successful exploitation leads to prototype pollution, where the attacker can modify properties on Object.prototype, potentially enabling further attacks such as denial of service, information disclosure, or code execution depending on the application's use of polluted prototypes. The low complexity and lack of privileges required make it accessible to attackers targeting applications that process untrusted JSON inputs with vulnerable seroval versions.
The seroval security advisory (GHSA-hj76-42vx-jwp4) and corresponding commit (ce9408ebc87312fcad345a73c172212f2a798060) confirm the issue is fixed in version 1.4.1 through improved input validation. Security practitioners should upgrade to seroval 1.4.1 or later and review applications for unsafe deserialization of untrusted JSON inputs using this library.
Details
- CWE(s)