CVE-2026-23737
Published: 21 January 2026
Summary
CVE-2026-23737 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Lxsmnsyc Seroval. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 33.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
Seroval is a JavaScript library designed for stringifying JavaScript values, including complex structures beyond the capabilities of JSON.stringify. CVE-2026-23737 affects versions 1.4.0 and below, stemming from improper input handling in the JSON deserialization component, which can lead to arbitrary JavaScript code execution. The vulnerability specifically impacts the fromJSON and fromCrossJSON functions in client-to-server transmission scenarios, classified under CWE-502 (Deserialization of Untrusted Data) with a CVSS v3.1 base score of 7.5 (AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H).
Exploitation requires attackers to have low privileges (PR:L) and network access (AV:N), but demands high attack complexity (AC:H) with no user interaction needed. At minimum, attackers must perform four separate requests targeting the same function and possess partial knowledge of how the serialized data is processed at runtime. This enables overriding constant values and error deserialization, providing indirect access to unsafe JavaScript evaluation and resulting in high impacts to confidentiality, integrity, and availability.
The issue has been fixed in seroval version 1.4.0. Mitigation involves upgrading to this patched version. Additional details are available in the GitHub security advisory (GHSA-3rxj-6cgf-8cfw) and the associated commit (ce9408ebc87312fcad345a73c172212f2a798060).
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-3679
Vulnerability details
seroval facilitates JS value stringification, including complex structures beyond JSON.stringify capabilities. In versions 1.4.0 and below, improper input handling in the JSON deserialization component can lead to arbitrary JavaScript code execution. Exploitation is possible via overriding constant value and error…
more
deserialization, allowing indirect access to unsafe JS evaluation. At minimum, attackers need the ability to perform 4 separate requests on the same function, and partial knowledge of how the serialized data is used during later runtime processing. This vulnerability affects the fromJSON and fromCrossJSON functions in a client-to-server transmission scenario. This issue has been fixed in version 1.4.0.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Deserialization of untrusted data (CWE-502) in fromJSON/fromCrossJSON directly enables remote arbitrary JS code execution on the server via crafted client-to-server payloads, mapping to T1190 (public-facing app exploitation) and T1059.007 (JavaScript interpreter abuse).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly addresses improper input handling in JSON deserialization by validating untrusted serialized data from clients before processing to prevent arbitrary code execution.
Remediates the specific deserialization flaw in seroval versions 1.4.0 and below by identifying, prioritizing, and applying patches such as the upgrade to version 1.4.0.
Ensures the integrity of software like seroval through verification mechanisms that detect unauthorized modifications or tampering exploited via deserialization.