{"vulnerability": "cve-2026-2373", "sightings": [{"uuid": "9e3c9690-05d2-4baa-b049-219c583692d6", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2026-2373", "type": "seen", "source": "https://www.incibe.es/incibe-cert/alerta-temprana/vulnerabilidades/cve-2026-2373", "content": "", "creation_timestamp": "2026-03-17T03:16:14.000000Z"}, {"uuid": "c850b3a2-db31-40db-a129-456b8f895134", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-23738", "type": "seen", "source": "https://bsky.app/profile/o2cloud.bsky.social/post/3me72d5vhru2o", "content": "", "creation_timestamp": "2026-02-06T13:50:26.100027Z"}, {"uuid": "84bc9e58-b273-4bdd-99f9-c07a34527470", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-23739", "type": "seen", "source": "https://bsky.app/profile/o2cloud.bsky.social/post/3me72d5vhru2o", "content": "", "creation_timestamp": "2026-02-06T13:50:26.219065Z"}, {"uuid": "0faaeb58-e447-45d3-bc91-c541059308e4", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-23733", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3mcqffwsv3v25", "content": "", "creation_timestamp": "2026-01-19T00:33:42.891469Z"}, {"uuid": "100d5e9f-2b28-4657-8cfe-6f69d43ceee0", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-23730", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3mclb3wbvmo2w", "content": "", "creation_timestamp": "2026-01-16T23:33:13.115260Z"}, {"uuid": "55ef1253-77bb-4932-9096-0cccca71a2eb", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-23731", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3mclbqn3nkf2f", "content": "", "creation_timestamp": "2026-01-16T23:44:48.517481Z"}, {"uuid": "c01d76f1-9ca8-42b4-b9d6-f398f21876f1", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-23735", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3mclcqwwc3g2r", "content": "", "creation_timestamp": "2026-01-17T00:02:52.320742Z"}, {"uuid": "85298c3c-c837-4307-9b40-024c5639524e", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-23735", "type": "seen", "source": "https://bsky.app/profile/bilaltariq01.bsky.social/post/3mcle6obxfw2e", "content": "", "creation_timestamp": "2026-01-17T00:28:27.432511Z"}, {"uuid": "2c16d419-552e-4fcd-82ca-3b633c5863ca", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-23735", "type": "seen", "source": "https://bsky.app/profile/2rZiKKbOU3nTafniR2qMMSE0gwZ.activitypub.awakari.com.ap.brid.gy/post/3mcnpi4pfqdk2", "content": "", "creation_timestamp": "2026-01-17T23:05:29.547020Z"}, {"uuid": "94992841-e465-4f38-a3da-992cd57af9f4", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-23735", "type": "seen", "source": "https://bsky.app/profile/2rZiKKbOU3nTafniR2qMMSE0gwZ.activitypub.awakari.com.ap.brid.gy/post/3mcnpjfp4xes2", "content": "", "creation_timestamp": "2026-01-17T23:05:33.114278Z"}, {"uuid": "e29f2af5-c375-4fb0-8b81-0d8498eafbf8", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-23735", "type": "seen", "source": "https://gist.github.com/alon710/6eed3cb62a9127c97662b882f464883d", "content": "", "creation_timestamp": "2026-01-24T22:28:49.000000Z"}, {"uuid": "5513e104-6917-41ef-ae23-3f2dbf724cc8", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-23733", "type": "seen", "source": "https://bsky.app/profile/2rZiKKbOU3nTafniR2qMMSE0gwZ.activitypub.awakari.com.ap.brid.gy/post/3mcvkjm6azaw2", "content": "", "creation_timestamp": "2026-01-21T01:50:10.146131Z"}, {"uuid": "5c4fc3fa-f497-45d8-922e-c60c80800780", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-23735", "type": "seen", "source": "https://gist.github.com/alon710/d087383ad13375511b2c1165a278566e", "content": "", "creation_timestamp": "2026-01-24T21:24:03.000000Z"}, {"uuid": "bc1d2d52-37b4-4486-b443-5d86fe163e84", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-23733", "type": "seen", "source": "https://gist.github.com/alon710/eb25db4a01805c42059e24903b5ab96b", "content": "", "creation_timestamp": "2026-01-24T21:23:36.000000Z"}, {"uuid": "aa9bb392-37c0-493e-924e-4ac8cb7145f6", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-23737", "type": "seen", "source": "https://bsky.app/profile/thehackerwire.bsky.social/post/3mcxuwndae222", "content": "", "creation_timestamp": "2026-01-22T00:00:09.508078Z"}, {"uuid": "28471da7-ed76-4e64-a5e4-7c0129987107", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-23736", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3mcxz7lasom2t", "content": "", "creation_timestamp": "2026-01-22T01:16:42.337077Z"}, {"uuid": "048593a4-9a69-4995-a4cc-a0ce863738db", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-23737", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3mcy2gsutwl2m", "content": "", "creation_timestamp": "2026-01-22T01:38:39.263548Z"}, {"uuid": "9b0ac81f-af26-4c8a-936a-0b8db4f342b9", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-23735", "type": "seen", "source": "https://gist.github.com/alon710/95477fa5cbe88286938656473c76c7a9", "content": "", "creation_timestamp": "2026-01-24T22:28:46.000000Z"}, {"uuid": "1d3ec91e-8233-447f-b4dc-f15ccbc5b855", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2026-23733", "type": "published-proof-of-concept", "source": "https://github.com/lobehub/lobehub/security/advisories/GHSA-4gpc-rhpj-9443", "content": "", "creation_timestamp": "2026-01-17T02:33:58.000000Z"}, {"uuid": "721d3eee-c473-4a31-8a5f-a4b8d8232446", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-23737", "type": "seen", "source": "https://gist.github.com/alon710/f37dde72118656f1c6b1cac083cc2cb1", "content": "# GHSA-9M65-766C-R333: GHSA-9M65-766C-R333: Type Confusion in Seroval Leading to Unintended Function Execution in TanStack Start\n\n> **CVSS Score:** 7.1\n> **Published:** 2026-05-14\n> **Full Report:** https://cvereports.com/reports/GHSA-9M65-766C-R333\n\n## Summary\nA type confusion vulnerability in the `seroval` deserialization library (CWE-843) exposes TanStack Start server functions to unintended sibling function invocation. Upstream, this flaw can lead to remote code execution (CVE-2026-23737).\n\n## TL;DR\nTanStack Start is vulnerable to deserialization type confusion via the `seroval` library. Attackers can craft JSON payloads to silently trigger unintended server functions, bypassing request-level middleware and audit logs.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-843\n- **Attack Vector**: Network\n- **Upstream CVSS**: 7.1\n- **TanStack Start CVSS**: Low\n- **Impact**: Unintended Function Execution / Upstream RCE\n- **Exploit Status**: Theoretical / Multi-stage\n\n## Affected Systems\n\n- TanStack Start Server Core\n- Seroval Deserialization Library\n- React Server Components utilizing affected TanStack packages\n- Solid Start utilizing affected TanStack packages\n- **@tanstack/start-server-core**: < 1.167.30 (Fixed in: `1.167.30`)\n- **seroval**: <= 1.5.2 (Fixed in: `1.5.3`)\n\n## Mitigation\n\n- Upgrade `@tanstack/start-server-core` to `1.167.30` or higher.\n- Upgrade `seroval` to `1.5.3` or higher.\n- Enforce strict input validation on all client-exposed server functions.\n- Implement authentication and authorization checks exclusively at the function level via middleware.\n\n**Remediation Steps:**\n1. Identify all projects utilizing TanStack Start or standalone `seroval`.\n2. Execute `npm install @tanstack/start-server-core@latest seroval@latest` to fetch the patched versions.\n3. Verify the dependency tree using `npm ls seroval` to ensure no transitive dependencies are locking an outdated version.\n4. Audit all `createServerFn` implementations to confirm the presence of `.inputValidator()` and `.middleware()` directives.\n5. Deploy the updated application to all environments.\n\n## References\n\n- [TanStack Router Security Advisory](https://github.com/TanStack/router/security/advisories/GHSA-9m65-766c-r333)\n- [Seroval Upstream Advisory](https://github.com/lxsmnsyc/seroval/security/advisories/GHSA-3rxj-6cgf-8cfw)\n- [CVE-2026-23737 Details](https://nvd.nist.gov/vuln/detail/CVE-2026-23737)\n- [OSV Data for GHSA-9m65-766c-r333](https://osv.dev/vulnerability/GHSA-9m65-766c-r333)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/GHSA-9M65-766C-R333) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-05-14T18:10:29.000000Z"}, {"uuid": "128f0773-8983-442d-a46d-7af7b61fbe93", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2026-23734", "type": "seen", "source": "https://infosec.exchange/users/offseq/statuses/116612099529875004", "content": "\u26a0\ufe0f CRITICAL: CVE-2026-23734 in XWiki Platform (xwiki-commons) allows unauthenticated path traversal \u2014 attackers can read config files via crafted 'resource' parameters. Patch to 18.1.0-rc-1, 17.10.3, 17.4.9, or 16.10.17+ now! https://radar.offseq.com/threat/cve-2026-23734-cwe-23-relative-path-traversal-in-x-16518aab #OffSeq #xwiki #vuln", "creation_timestamp": "2026-05-21T10:30:29.608958Z"}, {"uuid": "135be95b-bcc3-4d8c-a418-348b2c16b518", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2026-23734", "type": "seen", "source": "https://bsky.app/profile/offseq.bsky.social/post/3mme7ngimaj23", "content": "CRITICAL: XWiki xwiki-commons path traversal lets attackers read config files unauthenticated. Affects <18.1.0-rc-1, <17.10.3, <17.4.9, <16.10.17. Patch immediately! \ud83d\udd12 https://radar.offseq.com/threat/cve-2026-23734-cwe-23-relative-path-traversal-in-x-16518aab #OffSeq #xwiki #security", "creation_timestamp": "2026-05-21T10:30:32.051692Z"}, {"uuid": "cc589b5f-1dc0-4cb5-b1d3-0f30f99071b9", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2026-23735", "type": "published-proof-of-concept", "source": "https://github.com/graphql-hive/envelop/security/advisories/GHSA-h3hw-29fv-2x75", "content": "", "creation_timestamp": "2026-01-20T17:15:01.000000Z"}, {"uuid": "7df17543-22f6-47ad-9e8d-5d1ecd71df49", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2026-23735", "type": "published-proof-of-concept", "source": "https://github.com/graphql-hive/graphql-modules/security/advisories/GHSA-53wg-r69p-v3r7", "content": "", "creation_timestamp": "2026-01-16T15:28:29.000000Z"}]}