Description
Improper input handling in the JSON deserialization component can lead to arbitrary JavaScript code execution.
The vulnerability can be exploited via overriding constant value and error deserialization, which allows indirect access to unsafe JS evaluation.
Recommendation
Update the seroval package to the latest compatible version. Followings are version details:
- Affected version(s): < 1.4.1
- Patched version(s): 1.4.1
References
Related Issues
- seroval Affected by Prototype Pollution via JSON Deserialization - CVE-2026-23736
- OpenLearnX has Critical Remote Code Execution Through Python Sandbox Escape via Code Execution Environment - CVE-2026-41900
- Budibase: Unauthenticated Remote Code Execution via Webhook Trigger and Bash Automation Step - CVE-2026-35216
- FUXA Unauthenticated Remote Code Execution via Arbitrary File Write in Upload API - CVE-2026-25895
You might also like:
- Tags:
- npm
- seroval
Anything's wrong? Let us know Last updated on January 22, 2026