CVE-2026-23736: seroval Affected by Prototype Pollution via JSON Deserialization

January 21, 2026 (updated January 22, 2026)

Due to improper input validation, a malicious object key can lead to prototype pollution during JSON deserialization. This affects only JSON deserialization functionality.

As there is no known workaround, please upgrade to the latest version.

References

github.com/advisories/GHSA-hj76-42vx-jwp4
github.com/lxsmnsyc/seroval
github.com/lxsmnsyc/seroval/commit/ce9408ebc87312fcad345a73c172212f2a798060
github.com/lxsmnsyc/seroval/security/advisories/GHSA-hj76-42vx-jwp4
nvd.nist.gov/vuln/detail/CVE-2026-23736

Code Behaviors & Features

Detect and mitigate CVE-2026-23736 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →