Orval has Code Injection via unsanitized x-enum-descriptions using JS comments

CVE-2026-23947 had an incomplete fix While the current jsStringEscape function properly handles single quotes ', double quotes " and other characters, it fails to sanitize and / characters. This allows attackers to break out of JavaScript comment blocks using / sequences and inject arbitrary code...

GHSA-GCH2-PHQH-FG9Q Orval has Code Injection via unsanitized x-enum-descriptions using JS comments

CVE-2026-23947 had an incomplete fix While the current jsStringEscape function properly handles single quotes ', double quotes " and other characters, it fails to sanitize and / characters. This allows attackers to break out of JavaScript comment blocks using / sequences and inject arbitrary code...

CVE-2026-25141

CVE-2026-25141 affects Orval (OpenAPI/Swagger codegen) where the jsStringEscape logic is insufficient to sanitize x-enumDescriptions, enabling potential arbitrary code execution via JSFuck-like payloads in generated clients. Affected range includes 7.19.0–7.20.x and 7.21.0 and 8.2.0 with an incom...

Google Assistant Authentication Bypass Vulnerability

Google Assistant suffered from an authentication bypass vulnerability allowing a webpage to execute commands without permission. Auth Bypass in Google Assistant Summary: Webpage can execute Google Assistant commands without any permissions Steps to reproduce: Generate the TTS audio files using th...