CVE-2026-23737 (CNNVD-202601-3335)
中文标题:
seroval 代码问题漏洞
英文标题:
seroval Affected by Remote Code Execution via JSON Deserialization
漏洞描述
中文描述:
seroval是Alexis H. Munsayac个人开发者的一个格式化Java库。 seroval 1.4.0及之前版本存在代码问题漏洞,该漏洞源于JSON反序列化组件输入处理不当,可能导致任意JavaScript代码执行。
英文描述:
seroval facilitates JS value stringification, including complex structures beyond JSON.stringify capabilities. In versions 1.4.0 and below, improper input handling in the JSON deserialization component can lead to arbitrary JavaScript code execution. Exploitation is possible via overriding constant value and error deserialization, allowing indirect access to unsafe JS evaluation. At minimum, attackers need the ability to perform 4 separate requests on the same function, and partial knowledge of how the serialized data is used during later runtime processing. This vulnerability affects the fromJSON and fromCrossJSON functions in a client-to-server transmission scenario. This issue has been fixed in version 1.4.0.
CWE类型:
标签:
受影响产品
| 厂商 | 产品 | 版本 | 版本范围 | 平台 | CPE |
|---|---|---|---|---|---|
| lxsmnsyc | seroval | < 1.4.1 | - | - |
cpe:2.3:a:lxsmnsyc:seroval:<_1.4.1:*:*:*:*:*:*:*
|
解决方案
中文解决方案:
英文解决方案:
临时解决方案:
CVSS评分详情
3.1 (cna)
HIGHCVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
时间信息
利用信息
数据源详情
| 数据源 | 记录ID | 版本 | 提取时间 |
|---|---|---|---|
| CVE | cve_CVE-2026-23737 |
2026-01-22 03:19:50 | 2026-01-21 22:00:10 |
| NVD | nvd_CVE-2026-23737 |
2026-01-22 02:00:05 | 2026-01-21 22:00:14 |
| CNNVD | cnnvd_CNNVD-202601-3335 |
2026-01-26 02:10:03 | 2026-01-25 18:11:55 |
版本与语言
安全公告
变更历史
查看详细变更
- vulnerability_type: 未提取 -> 代码问题
- cnnvd_id: 未提取 -> CNNVD-202601-3335
- data_sources: ['cve', 'nvd'] -> ['cnnvd', 'cve', 'nvd']
查看详细变更
- data_sources: ['cve'] -> ['cve', 'nvd']