2431898 – (CVE-2026-23736) CVE-2026-23736 seroval: seroval: Prototype pollution via improper input validation during JSON deserialization

Bug 2431898 (CVE-2026-23736) - CVE-2026-23736 seroval: seroval: Prototype pollution via improper input validation during JSON deserialization

Summary: CVE-2026-23736 seroval: seroval: Prototype pollution via improper input valid...

Keywords:
Status:	NEW
Alias:	CVE-2026-23736
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2431947 2431951 2431954
Blocks:
TreeView+	depends on / blocked

Reported:	2026-01-22 00:09 UTC by OSIDB Bzimport
Modified:	2026-01-22 05:19 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-01-22 00:09:09 UTC

seroval facilitates JS value stringification, including complex structures beyond JSON.stringify capabilities. In versions 1.4.0 and below, due to improper input validation, a malicious object key can lead to prototype pollution during JSON deserialization. This vulnerability affects only JSON deserialization functionality. This issue is fixed in version 1.4.1.

Note You need to log in before you can comment on or make changes to this bug.