GHSA-76p7-773f-r4q5 · Severity: medium · Ecosystem: npm — Cross-site Scripting (XSS) in serialize-javascript
A flaw was found in npm-serialize-javascript. The vulnerability occurs because the serialize-javascript module does not properly sanitize certain inputs, such as regex or other JavaScript object types, allowing an attacker to inject malicious code. This code could be executed when deserialized by a web browser, causing Cross-site scripting (XSS) attacks. This issue is critical in environments where serialized data is sent to web clients, potentially compromising the security of the website or web application using this package.
Conclusion & alert: CVE-2024-11831 is rated Moderate Risk (41.6/100): CVSS Medium severity, with medium exploitation likelihood (EPSS 0.98%). Mandatory action: Review affected assets and schedule remediation.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-15 | 1.13% | 0.98% | -0.15% |
| 2 | 2026-05-25 | 0.94% | 1.13% | +0.19% |
| 3 | 2026-05-22 | — | 0.94% | — |
Full EPSS history (26 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 5.4 | 3.1 | MEDIUM |
|
2.3 | 2.7 | [email protected] |
GHSA-76p7-773f-r4q5 · Severity: medium · Ecosystem: npm — Cross-site Scripting (XSS) in serialize-javascript
| vendor | priority | summary | link |
|---|---|---|---|
debian
|
unimportant | CVE-2024-11831 unimportant priority: Debian including 1 source packages (node-serialize-javascript), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 5. | https://security-tracker.debian.org/tracker/CVE-2024-11831 |
redhat
|
medium | — | https://access.redhat.com/security/cve/CVE-2024-11831 |
suse
|
medium | CVE-2024-11831 severity moderate: SUSE including 82 source package names (aspnetcore-runtime-8.0-8.0.12-1.el8_10, aspnetcore-runtime-8.0-8.0.12-1.el9_5, …), 339 product×package rows across 35 product lines (SLES-LTSS-TERADATA 15 SP2, SUSE Liberty Linux 8, … (35 product lines)): Known Not Affected 315, Fixed 24. | https://www.suse.com/security/cve/CVE-2024-11831/ |
ubuntu
|
medium | CVE-2024-11831 medium priority: Ubuntu including 1 source packages (node-serialize-javascript), 7 status rows across 7 suites (focal, jammy, noble, oracular, plucky, questing, upstream): needs-triage 4, ignored 2, DNE 1. | https://ubuntu.com/security/CVE-2024-11831 |
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| No affected products in dataset. | |||