Arbitrary Code Execution

Orval is vulnerable to Arbitrary Code Execution. The vulnerability is due to incomplete sanitization of untrusted input during code generation, where insufficient escaping in jsStringEscape allows attackers to inject executable JavaScript using only non-alphanumeric characters via JSFuck...

CVE-2026-25141

Orval generates type-safe JS clients TypeScript from any valid OpenAPI v3 or Swagger v2 specification. Versions starting with 7.19.0 and prior to 7.21.0 and 8.2.0 have an incomplete fix for CVE-2026-23947. While the jsStringEscape function properly handles single quotes ', double quotes " and so...

@orval/angular (>=8.0.0 <=8.1.0), @orval/axios (>=8.0.0 <=8.1.0) +9 more potentially affected by CVE-2026-25141 via @orval/core (>=8.0.0 <=8.1.0)

@orval/core NPM version =8.0.0, =8.0.0, =8.0.0, =8.0.0, =8.0.0, =8.0.0, =8.0.0, =8.0.0, =8.0.0, =8.0.0, =8.0.0, =8.0.0, =8.1.0 Source cves: CVE-2026-25141 Source advisory: OSV:GHSA-GCH2-PHQH-FG9Q...

Arbitrary Command Injection

Overview Affected versions of this package are vulnerable to Arbitrary Command Injection via the jsStringEscape function. An attacker can execute arbitrary code in generated files by injecting / sequences that breaks out of JavaScript comment blocks. Note: This vulnerability stems from an...

Orval has Code Injection via unsanitized x-enum-descriptions using JS comments

CVE-2026-23947 had an incomplete fix While the current jsStringEscape function properly handles single quotes ', double quotes " and other characters, it fails to sanitize and / characters. This allows attackers to break out of JavaScript comment blocks using / sequences and inject arbitrary code...

@orval/angular (>=8.0.0 <=8.1.0), @orval/axios (>=8.0.0 <=8.1.0) +9 more potentially affected by CVE-2026-23947 +1 more via @orval/core (>=8.0.0-rc.0 <=8.1.0)

@orval/core NPM version =8.0.0-rc.0, =8.0.0, =8.0.0, =8.0.0, =8.0.0, =8.0.0, =8.0.0, =8.0.0, =8.0.0, =8.0.0, =8.0.0, =8.0.0, =8.1.0 Source cves: CVE-2026-23947, CVE-2026-25141 Source advisory: SNYK:JS-ORVALCORE-15166600...

@beshkenadze/orval-mcp (=7.11.2-fix.2), @orval/angular (>=7.1.0 <=7.20.0) +12 more potentially affected by CVE-2026-23947 +1 more via @orval/core (>=7.10.0 <=7.20.0)

@orval/core NPM version =7.10.0, =7.1.0, =7.1.0, =7.1.0, =7.1.0, =7.10.0, =7.1.0, =7.1.0, =7.1.0, =7.1.0, =1.0.1, =0.0.0, =7.1.0, =7.1.0, =7.13.2 Source cves: CVE-2026-23947, CVE-2026-25141 Source advisory: SNYK:JS-ORVALCORE-15166600...

GHSA-GCH2-PHQH-FG9Q Orval has Code Injection via unsanitized x-enum-descriptions using JS comments

CVE-2026-23947 had an incomplete fix While the current jsStringEscape function properly handles single quotes ', double quotes " and other characters, it fails to sanitize and / characters. This allows attackers to break out of JavaScript comment blocks using / sequences and inject arbitrary code...

@orval/angular (>=7.1.0 <=7.20.0), @orval/axios (>=7.1.0 <=7.20.0) +10 more potentially affected by CVE-2026-25141 via @orval/core (>=7.19.0 <=7.20.0)

@orval/core NPM version =7.19.0, =7.1.0, =7.1.0, =7.1.0, =7.1.0, =7.19.0, =7.1.0, =7.1.0, =7.1.0, =7.1.0, =0.0.0, =7.1.0, =7.1.0, =7.1.1 Source cves: CVE-2026-25141 Source advisory: OSV:GHSA-GCH2-PHQH-FG9Q...

CVE-2026-25141

Orval generates type-safe JS clients TypeScript from any valid OpenAPI v3 or Swagger v2 specification. Versions starting with 7.19.0 and prior to 7.21.0 and 8.2.0 have an incomplete fix for CVE-2026-23947. While the jsStringEscape function properly handles single quotes ', double quotes " and so...

CVE-2026-25141 Orval has a code injection via unsanitized x-enum-descriptions uing JS comments

Orval generates type-safe JS clients TypeScript from any valid OpenAPI v3 or Swagger v2 specification. Versions starting with 7.19.0 and prior to 7.21.0 and 8.2.0 have an incomplete fix for CVE-2026-23947. While the jsStringEscape function properly handles single quotes ', double quotes " and so...

CVE-2026-25141

CVE-2026-25141 affects Orval (OpenAPI/Swagger codegen) where the jsStringEscape logic is insufficient to sanitize x-enumDescriptions, enabling potential arbitrary code execution via JSFuck-like payloads in generated clients. Affected range includes 7.19.0–7.20.x and 7.21.0 and 8.2.0 with an incom...

CVE-2026-25141 Orval has a code injection via unsanitized x-enum-descriptions uing JS comments

Orval generates type-safe JS clients TypeScript from any valid OpenAPI v3 or Swagger v2 specification. Versions starting with 7.19.0 and prior to 7.21.0 and 8.2.0 have an incomplete fix for CVE-2026-23947. While the jsStringEscape function properly handles single quotes ', double quotes " and so...

CVE-2026-25141

Orval generates type-safe JS clients TypeScript from any valid OpenAPI v3 or Swagger v2 specification. Versions starting with 7.19.0 and prior to 7.21.0 and 8.2.0 have an incomplete fix for CVE-2026-23947. While the jsStringEscape function properly handles single quotes ', double quotes " and so...

CVE-2026-25141 Orval has a code injection via unsanitized x-enum-descriptions uing JS comments

Orval generates type-safe JS clients TypeScript from any valid OpenAPI v3 or Swagger v2 specification. Versions starting with 7.19.0 and prior to 7.21.0 and 8.2.0 have an incomplete fix for CVE-2026-23947. While the jsStringEscape function properly handles single quotes ', double quotes " and so...

EUVD-2026-5007

Orval generates type-safe JS clients TypeScript from any valid OpenAPI v3 or Swagger v2 specification. Versions starting with 7.19.0 and prior to 7.21.0 and 8.2.0 have an incomplete fix for CVE-2026-23947. While the jsStringEscape function properly handles single quotes ', double quotes " and so...

Orval code injection vulnerability

Orval is an open-source interface development tool developed by Orval. Versions of Orval from 7.19.0 to 7.21.0, as well as versions before 8.2.0, have a code injection vulnerability. This vulnerability stems from incomplete escape handling in the jsStringEscape function, which may lead to code...

Arbitrary Command Injection

@orval/core is vulnerable to Arbitrary Command Injection. The vulnerability is due to improper handling and escaping of untrusted OpenAPI specification data in the x-enumDescriptions field during enum generation, which allows an attacker to inject and execute arbitrary TypeScript or JavaScript co...

d2m-apigen (>=1.0.1 <=2.1.7), dm-apigen (>=0.0.0 <=1.0.0) +2 more potentially affected by CVE-2026-24132 via @orval/mock (>=7.0.0 <=7.1.1)

@orval/mock NPM version =7.0.0, =1.0.1, =0.0.0, =7.0.0, =7.1.0, =7.13.2 Source cves: CVE-2026-24132 Source advisory: SNYK:JS-ORVALMOCK-15091570...

Arbitrary Command Injection

Overview Affected versions of this package are vulnerable to Arbitrary Command Injection via the getMockScalar function. An attacker can execute arbitrary code by supplying a crafted OpenAPI specification containing malicious values in the const property, which are then interpolated into generate...