CVE-2026-25141 in orvalالمعلومات

الملخص

بحسب MITRE • 30/01/2026

Orval generates type-safe JS clients (TypeScript) from any valid OpenAPI v3 or Swagger v2 specification. Versions starting with 7.19.0 and prior to 7.21.0 and 8.2.0 have an incomplete fix for CVE-2026-23947. While the jsStringEscape function properly handles single quotes ('), double quotes (") and so on, it is still possible to achieve code injection using only a limited set of characters that are currently not escaped. The vulnerability lies in the fact that the application can be forced to execute arbitrary JavaScript using characters such as []()!+. By using a technique known as JSFuck, an attacker can bypass the current sanitization logic and run arbitrary code without needing any alphanumeric characters or quotes. Version 7.21.0 and 8.2.0 contain an updated fix.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

🔬 Show More Details

An in-depth analysis is available in our curated vulnerability entry.

مسؤول

GitHub M

حجز

29/01/2026

إفشاء

30/01/2026

الاعتدال

تمت الموافقة

إدخال

VDB-343554

CPE

جاهز

CWE

CWE-94 (مؤكد)

CVSS

9.8 (NVD)

EPSS

0.00034

KEV

لا

النشاطات

منخفض جدًا

المصادر

MITRE	https://www.cve.org/CVERecord?id=CVE-2026-25141
NVD	https://nvd.nist.gov/vuln/detail/CVE-2026-25141
CVE Details	https://www.cvedetails.com/cve/CVE-2026-25141/

التالي ▸نظرة عامة ◂ السابق

Want to know what is going to be exploited?

We predict KEV entries!