TanStack Start - Server Core: Inbound server-function request deserialization could invoke a sibling client-referenced server function

Summary A type-confusion bug in seroval ≤ 1.5.2 upstream advisory allowed a crafted JSON body sent to one TanStack Start server function to trigger invocation of a different client-referenced server function as a side effect of deserializing the request payload. This is not an authentication bypa...

Allocation of Resources Without Limits or Throttling

Overview seroval is a Stringify JS values Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling when serializing objects with very large depth. An attacker can cause resource exhaustion and disrupt service availability by submitting objects with...

@aexol/opencode-tui (>=0.2.5 <=0.2.10), @alcyone-labs/arg-parser (>=2.11.0 <=2.13.4) +88 more potentially affected by CVE-2026-24006 via seroval (>=1.0.7 <=1.3.2)

seroval NPM version =1.0.7, =0.2.5, =2.11.0, =1.0.0, =1.0.0, =1.1.54, =1.1.54, =1.0.24, =0.1.0, =0.3.0, =1.0.0, =1.1.1 and more Source cves: CVE-2026-24006 Source advisory: SNYK:JS-SEROVAL-15054527...

CVE-2026-23956

seroval facilitates JS value stringification, including complex structures beyond JSON.stringify capabilities. In versions 0.2.0 through 1.4.0, overriding RegExp serialization with extremely large patterns can exhaust JavaScript runtime memory during deserialization. Additionally, overriding RegE...

CVE-2026-23957

seroval facilitates JS value stringification, including complex structures beyond JSON.stringify capabilities. In versions 1.4.0 and below, overriding encoded array lengths by replacing them with an excessively large value causes the deserialization process to significantly increase processing...

CVE-2026-23957

Summary (CVE-2026-23957) : The vulnerability affects the Seroval library, where an attacker can cause notably increased processing time during deserialization by overriding encoded array lengths with an excessively large value. This leads to a Denial of Service condition for versions 1.4.0 and ea...

CVE-2026-23737 seroval Affected by Remote Code Execution via JSON Deserialization

seroval facilitates JS value stringification, including complex structures beyond JSON.stringify capabilities. In versions 1.4.0 and below, improper input handling in the JSON deserialization component can lead to arbitrary JavaScript code execution. Exploitation is possible via overriding consta...

@aexol/opencode-tui (>=0.2.5 <=0.2.10), @alcyone-labs/arg-parser (>=2.11.0 <=2.13.4) +88 more potentially affected by CVE-2026-23957 via seroval (>=1.0.7 <=1.3.2)

seroval NPM version =1.0.7, =0.2.5, =2.11.0, =1.0.0, =1.0.0, =1.1.54, =1.1.54, =1.0.24, =0.1.0, =0.3.0, =1.0.0, =1.1.1 and more Source cves: CVE-2026-23957 Source advisory: SNYK:JS-SEROVAL-15054525...

Allocation of Resources Without Limits or Throttling

Overview org.webjars.npm:seroval is a Stringify JS values Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the encoded array lengths serialization process. An attacker can cause excessive processing time by overriding encoded array lengt...

@aexol/opencode-tui (>=0.2.5 <=0.2.10), @agent-embed/js (>=0.0.1 <=0.0.45) +272 more potentially affected by CVE-2026-23956 via seroval (>=0.2.1 <=1.3.2)

seroval NPM version =0.2.1, =0.2.5, =0.0.1, =2.11.0, =1.0.0, =1.0.0, =0.0.1, =0.0.1, =0.0.7, =0.0.1, =0.0.1, =1.0.0, =0.1.26, =0.0.1, =0.0.17-demo-01 and more Source cves: CVE-2026-23956 Source advisory: OSV:GHSA-HX9M-JF43-8FFR...

@aexol/opencode-tui (>=0.2.5 <=0.2.10), @alcyone-labs/arg-parser (>=2.11.0 <=2.13.4) +88 more potentially affected by CVE-2026-23956 via seroval (>=1.0.7 <=1.3.2)

seroval NPM version =1.0.7, =0.2.5, =2.11.0, =1.0.0, =1.0.0, =1.1.54, =1.1.54, =1.0.24, =0.1.0, =0.3.0, =1.0.0, =1.1.1 and more Source cves: CVE-2026-23956 Source advisory: SNYK:JS-SEROVAL-15054520...

Deserialization of Untrusted Data

Overview seroval is a Stringify JS values Affected versions of this package are vulnerable to Deserialization of Untrusted Data in the fromJSON and fromCrossJSON functions during JSON deserialization. An attacker can execute arbitrary JavaScript code by crafting serialized data that exploits...

org.webjars.npm:solid-js (=1.9.5) potentially affected by CVE-2026-23736 via org.webjars.npm:seroval (=1.2.1)

org.webjars.npm:seroval MAVEN version =1.2.1 is affected by a known vulnerability. The following packages have a transitive dependency on org.webjars.npm:seroval and may be impacted: - org.webjars.npm:solid-js =1.9.5 Source cves: CVE-2026-23736 Source advisory: SNYK:JAVA-ORGWEBJARSNPM-15054524...