{"vulnerability": "cve-2026-23737", "sightings": [{"uuid": "aa9bb392-37c0-493e-924e-4ac8cb7145f6", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-23737", "type": "seen", "source": "https://bsky.app/profile/thehackerwire.bsky.social/post/3mcxuwndae222", "content": "", "creation_timestamp": "2026-01-22T00:00:09.508078Z"}, {"uuid": "048593a4-9a69-4995-a4cc-a0ce863738db", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-23737", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3mcy2gsutwl2m", "content": "", "creation_timestamp": "2026-01-22T01:38:39.263548Z"}, {"uuid": "721d3eee-c473-4a31-8a5f-a4b8d8232446", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-23737", "type": "seen", "source": "https://gist.github.com/alon710/f37dde72118656f1c6b1cac083cc2cb1", "content": "# GHSA-9M65-766C-R333: GHSA-9M65-766C-R333: Type Confusion in Seroval Leading to Unintended Function Execution in TanStack Start\n\n> **CVSS Score:** 7.1\n> **Published:** 2026-05-14\n> **Full Report:** https://cvereports.com/reports/GHSA-9M65-766C-R333\n\n## Summary\nA type confusion vulnerability in the `seroval` deserialization library (CWE-843) exposes TanStack Start server functions to unintended sibling function invocation. Upstream, this flaw can lead to remote code execution (CVE-2026-23737).\n\n## TL;DR\nTanStack Start is vulnerable to deserialization type confusion via the `seroval` library. Attackers can craft JSON payloads to silently trigger unintended server functions, bypassing request-level middleware and audit logs.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-843\n- **Attack Vector**: Network\n- **Upstream CVSS**: 7.1\n- **TanStack Start CVSS**: Low\n- **Impact**: Unintended Function Execution / Upstream RCE\n- **Exploit Status**: Theoretical / Multi-stage\n\n## Affected Systems\n\n- TanStack Start Server Core\n- Seroval Deserialization Library\n- React Server Components utilizing affected TanStack packages\n- Solid Start utilizing affected TanStack packages\n- **@tanstack/start-server-core**: < 1.167.30 (Fixed in: `1.167.30`)\n- **seroval**: <= 1.5.2 (Fixed in: `1.5.3`)\n\n## Mitigation\n\n- Upgrade `@tanstack/start-server-core` to `1.167.30` or higher.\n- Upgrade `seroval` to `1.5.3` or higher.\n- Enforce strict input validation on all client-exposed server functions.\n- Implement authentication and authorization checks exclusively at the function level via middleware.\n\n**Remediation Steps:**\n1. Identify all projects utilizing TanStack Start or standalone `seroval`.\n2. Execute `npm install @tanstack/start-server-core@latest seroval@latest` to fetch the patched versions.\n3. Verify the dependency tree using `npm ls seroval` to ensure no transitive dependencies are locking an outdated version.\n4. Audit all `createServerFn` implementations to confirm the presence of `.inputValidator()` and `.middleware()` directives.\n5. Deploy the updated application to all environments.\n\n## References\n\n- [TanStack Router Security Advisory](https://github.com/TanStack/router/security/advisories/GHSA-9m65-766c-r333)\n- [Seroval Upstream Advisory](https://github.com/lxsmnsyc/seroval/security/advisories/GHSA-3rxj-6cgf-8cfw)\n- [CVE-2026-23737 Details](https://nvd.nist.gov/vuln/detail/CVE-2026-23737)\n- [OSV Data for GHSA-9m65-766c-r333](https://osv.dev/vulnerability/GHSA-9m65-766c-r333)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/GHSA-9M65-766C-R333) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-05-14T18:10:29.000000Z"}]}