Cyber Resilience

CVE-2026-23737

HighRCE

Published: 21 January 2026

Published
21 January 2026
Modified
27 February 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0014 33.9th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-23737 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Lxsmnsyc Seroval. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 33.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

Seroval is a JavaScript library designed for stringifying JavaScript values, including complex structures beyond the capabilities of JSON.stringify. CVE-2026-23737 affects versions 1.4.0 and below, stemming from improper input handling in the JSON deserialization component, which can lead to arbitrary JavaScript code execution. The vulnerability specifically impacts the fromJSON and fromCrossJSON functions in client-to-server transmission scenarios, classified under CWE-502 (Deserialization of Untrusted Data) with a CVSS v3.1 base score of 7.5 (AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H).

Exploitation requires attackers to have low privileges (PR:L) and network access (AV:N), but demands high attack complexity (AC:H) with no user interaction needed. At minimum, attackers must perform four separate requests targeting the same function and possess partial knowledge of how the serialized data is processed at runtime. This enables overriding constant values and error deserialization, providing indirect access to unsafe JavaScript evaluation and resulting in high impacts to confidentiality, integrity, and availability.

The issue has been fixed in seroval version 1.4.0. Mitigation involves upgrading to this patched version. Additional details are available in the GitHub security advisory (GHSA-3rxj-6cgf-8cfw) and the associated commit (ce9408ebc87312fcad345a73c172212f2a798060).

EU & UK References

Vulnerability details

seroval facilitates JS value stringification, including complex structures beyond JSON.stringify capabilities. In versions 1.4.0 and below, improper input handling in the JSON deserialization component can lead to arbitrary JavaScript code execution. Exploitation is possible via overriding constant value and error…

more

deserialization, allowing indirect access to unsafe JS evaluation. At minimum, attackers need the ability to perform 4 separate requests on the same function, and partial knowledge of how the serialized data is used during later runtime processing. This vulnerability affects the fromJSON and fromCrossJSON functions in a client-to-server transmission scenario. This issue has been fixed in version 1.4.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
Why these techniques?

Deserialization of untrusted data (CWE-502) in fromJSON/fromCrossJSON directly enables remote arbitrary JS code execution on the server via crafted client-to-server payloads, mapping to T1190 (public-facing app exploitation) and T1059.007 (JavaScript interpreter abuse).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-23957Same product: Lxsmnsyc Seroval
CVE-2026-23736Same product: Lxsmnsyc Seroval
CVE-2026-23956Same product: Lxsmnsyc Seroval
CVE-2026-24006Same product: Lxsmnsyc Seroval
CVE-2024-13770Shared CWE-502
CVE-2026-27303Shared CWE-502
CVE-2025-53586Shared CWE-502
CVE-2025-64353Shared CWE-502
CVE-2025-31047Shared CWE-502
CVE-2026-27096Shared CWE-502

Affected Assets

lxsmnsyc
seroval
≤ 1.4.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses improper input handling in JSON deserialization by validating untrusted serialized data from clients before processing to prevent arbitrary code execution.

prevent

Remediates the specific deserialization flaw in seroval versions 1.4.0 and below by identifying, prioritizing, and applying patches such as the upgrade to version 1.4.0.

preventdetect

Ensures the integrity of software like seroval through verification mechanisms that detect unauthorized modifications or tampering exploited via deserialization.

References