Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit d22f35876aaf · 2026-01-21T15:41:54.000Z
GHSA-3rxj-6cgf-8cfw GHSA-hj76-42vx-jwp4 GHSA-m27r-m6rx-mhm4
diff --git a/advisories/github-reviewed/2026/01/GHSA-3rxj-6cgf-8cfw/GHSA-3rxj-6cgf-8cfw.json b/advisories/github-reviewed/2026/01/GHSA-3rxj-6cgf-8cfw/GHSA-3rxj-6cgf-8cfw.json
@@ -0,0 +1,61 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-3rxj-6cgf-8cfw",
+  "modified": "2026-01-21T15:41:23Z",
+  "published": "2026-01-21T15:41:22Z",
+  "aliases": [
+    "CVE-2026-23737"
+  ],
+  "summary": "seroval Affected by Remote Code Execution via JSON Deserialization",
+  "details": "Improper input handling in the JSON deserialization component can lead to arbitrary JavaScript code execution.\n\nThe vulnerability can be exploited via overriding constant value and error deserialization, which allows indirect access to unsafe JS evaluation. This requires at least the ability to perform 4 separate requests on the same function and partial knowledge of how the serialized data is used during later runtime processing. \n\nThis vulnerability affects the `fromJSON` and `fromCrossJSON` functions in a client-to-server transmission scenario.\n\nNo known workarounds or mitigations are known, so please upgrade to the patched version.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "seroval"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "1.4.1"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/lxsmnsyc/seroval/security/advisories/GHSA-3rxj-6cgf-8cfw"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/lxsmnsyc/seroval/commit/ce9408ebc87312fcad345a73c172212f2a798060"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/lxsmnsyc/seroval"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-502"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-01-21T15:41:22Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2026/01/GHSA-hj76-42vx-jwp4/GHSA-hj76-42vx-jwp4.json b/advisories/github-reviewed/2026/01/GHSA-hj76-42vx-jwp4/GHSA-hj76-42vx-jwp4.json
@@ -0,0 +1,61 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-hj76-42vx-jwp4",
+  "modified": "2026-01-21T15:41:14Z",
+  "published": "2026-01-21T15:41:14Z",
+  "aliases": [
+    "CVE-2026-23736"
+  ],
+  "summary": "seroval Affected by Prototype Pollution via JSON Deserialization",
+  "details": "Due to improper input validation, a malicious object key can lead to prototype pollution during JSON deserialization.\nThis affects only JSON deserialization functionality.\n\nAs there is no known workaround, please upgrade to the latest version.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "seroval"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "1.4.1"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/lxsmnsyc/seroval/security/advisories/GHSA-hj76-42vx-jwp4"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/lxsmnsyc/seroval/commit/ce9408ebc87312fcad345a73c172212f2a798060"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/lxsmnsyc/seroval"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-1321"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-01-21T15:41:14Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2026/01/GHSA-m27r-m6rx-mhm4/GHSA-m27r-m6rx-mhm4.json b/advisories/github-reviewed/2026/01/GHSA-m27r-m6rx-mhm4/GHSA-m27r-m6rx-mhm4.json
@@ -0,0 +1,65 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-m27r-m6rx-mhm4",
+  "modified": "2026-01-21T15:40:24Z",
+  "published": "2026-01-21T15:40:24Z",
+  "aliases": [
+    "CVE-2026-23524"
+  ],
+  "summary": "Laravel Redis Horizontal Scaling Insecure Deserialization",
+  "details": "### Impact\n\nThis vulnerability affects Laravel Reverb versions prior to v1.7.0 when horizontal scaling is enabled (`REVERB_SCALING_ENABLED=true`).\n\nThe exploitability of this vulnerability is increased because Redis servers are commonly deployed without authentication.\n\nWith horizontal scaling enabled, Reverb servers communicate via Redis PubSub. Reverb previously passed data from the Redis channel directly into PHP’s `unserialize()` function without restricting which classes could be instantiated.\n\n**Risk:** Remote Code Execution (RCE)\n\n### Patches\nThis vulnerability is fixed in Laravel Reverb v1.7.0.\n\nUpdate your dependency to `laravel/reverb: ^1.7.0` immediately.\n\n### Workarounds\nIf you cannot upgrade to v1.7.0, you should apply the following mitigations:\n\n* Redis Security: Require a strong password for Redis access and ensure the service is only accessible via a private network or local loopback.\n* Disable Scaling: If your environment uses only one Reverb node, set `REVERB_SCALING_ENABLED=false` to bypass the vulnerable logic entirely.\n\n### Credits\nThis vulnerability was discovered and responsibly reported by Mohammad Yaser Abo-Elmaaty @m0h4mmad",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "laravel/reverb"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "1.7.0"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/laravel/reverb/security/advisories/GHSA-m27r-m6rx-mhm4"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/laravel/reverb"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/laravel/reverb/releases/tag/v1.7.0"
+    },
+    {
+      "type": "WEB",
+      "url": "https://laravel.com/docs/reverb#scaling"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-502"
+    ],
+    "severity": "CRITICAL",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-01-21T15:40:24Z",
+    "nvd_published_at": null
+  }
+}
