Alexis H. Munsayac

5 exploits Active since Jan 2026
CVE-2026-23736 WRITEUP HIGH WRITEUP
seroval <1.4.1 - Prototype Pollution
seroval facilitates JS value stringification, including complex structures beyond JSON.stringify capabilities. In versions 1.4.0 and below, due to improper input validation, a malicious object key can lead to prototype pollution during JSON deserialization. This vulnerability affects only JSON deserialization functionality. This issue is fixed in version 1.4.1.
CVSS 7.3
CVE-2026-23737 WRITEUP HIGH WRITEUP
seroval < 1.4.1 - Remote Code Execution via JSON Deserialization
seroval facilitates JS value stringification, including complex structures beyond JSON.stringify capabilities. In versions 1.4.0 and below, improper input handling in the JSON deserialization component can lead to arbitrary JavaScript code execution. Exploitation is possible via overriding constant value and error deserialization, allowing indirect access to unsafe JS evaluation. At minimum, attackers need the ability to perform 4 separate requests on the same function, and partial knowledge of how the serialized data is used during later runtime processing. This vulnerability affects the fromJSON and fromCrossJSON functions in a client-to-server transmission scenario. This issue has been fixed in version 1.4.0.
CVSS 7.5
CVE-2026-23956 WRITEUP HIGH WRITEUP
seroval 0.2.0-1.4.0 - Regular Expression Denial of Service via RegExp Serialization Override
seroval facilitates JS value stringification, including complex structures beyond JSON.stringify capabilities. In versions 0.2.0 through 1.4.0, overriding RegExp serialization with extremely large patterns can exhaust JavaScript runtime memory during deserialization. Additionally, overriding RegExp serialization with patterns that trigger catastrophic backtracking can lead to ReDoS (Regular Expression Denial of Service). This issue has been fixed in version 1.4.1.
CVSS 7.5
CVE-2026-23957 WRITEUP HIGH WRITEUP
seroval < 1.4.1 - Denial of Service via Array Length Manipulation
seroval facilitates JS value stringification, including complex structures beyond JSON.stringify capabilities. In versions 1.4.0 and below, overriding encoded array lengths by replacing them with an excessively large value causes the deserialization process to significantly increase processing time. This issue has been fixed in version 1.4.1.
CVSS 7.5
CVE-2026-24006 WRITEUP HIGH WRITEUP
seroval < 1.4.1 - Denial of Service via Deep Object Serialization
Seroval facilitates JS value stringification, including complex structures beyond JSON.stringify capabilities. In versions 1.4.0 and below, serialization of objects with extreme depth can exceed the maximum call stack limit. In version 1.4.1, Seroval introduces a `depthLimit` parameter in serialization/deserialization methods. An error will be thrown if the depth limit is reached.
CVSS 7.5