{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-06-29T16:56:25.309","vulnerabilities":[{"cve":{"id":"CVE-2019-16769","sourceIdentifier":"security-advisories@github.com","published":"2019-12-05T19:15:15.180","lastModified":"2026-06-17T02:22:45.870","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"The serialize-javascript npm package before version 2.1.1 is vulnerable to Cross-site Scripting (XSS). It does not properly mitigate against unsafe characters in serialized regular expressions. This vulnerability is not affected on Node.js environment since Node.js's implementation of RegExp.prototype.toString() backslash-escapes all forward slashes in regular expressions. If serialized data of regular expression objects are used in an environment other than Node.js, it is affected by this vulnerability."},{"lang":"es","value":"Las versiones afectadas de este paquete son vulnerables a un ataque de tipo Cross-site Scripting (XSS). No mitiga apropiadamente contra caracteres no seguros en expresiones regulares serializadas. Esta vulnerabilidad no está afectada en el entorno Node.js ya que la implementación de Node.js de todos los escape de barra invertida de la función RegExp.prototype.toString() envía barras diagonales en expresiones regulares. Si los datos serializados de los objetos de expresión regular son usados en un entorno diferente de Node.js, es afectada por esta vulnerabilidad."}],"affected":[{"source":"security-advisories@github.com","affectedData":[{"vendor":"yahoo","product":"serialize-javascript","versions":[{"version":"< 2.1.1","lessThan":"2.1.1","versionType":"custom","status":"affected"}]}]}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:L","baseScore":4.2,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"LOW"},"exploitabilityScore":1.6,"impactScore":2.5},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N","baseScore":5.4,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":2.3,"impactScore":2.7}],"cvssMetricV2":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"2.0","vectorString":"AV:N/AC:M/Au:S/C:N/I:P/A:N","baseScore":3.5,"accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"SINGLE","confidentialityImpact":"NONE","integrityImpact":"PARTIAL","availabilityImpact":"NONE"},"baseSeverity":"LOW","exploitabilityScore":6.8,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":true}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-79"}]},{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-79"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:verizon:serialize-javascript:*:*:*:*:*:node.js:*:*","versionEndExcluding":"2.1.1","matchCriteriaId":"C1A2E126-2CC2-4EB9-9738-B981ED74E0B7"}]}]}],"references":[{"url":"https://github.com/yahoo/serialize-javascript/security/advisories/GHSA-h9rv-jmmf-4pgx","source":"security-advisories@github.com","tags":["Third Party Advisory"]},{"url":"https://github.com/yahoo/serialize-javascript/security/advisories/GHSA-h9rv-jmmf-4pgx","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory"]}]}}]}