CVE-2026-33331 oRPC: Stored XSS in OpenAPI Reference Plugin via unescaped JSON.stringify

oRPC is an tool that helps build APIs that are end-to-end type-safe and adhere to OpenAPI standards. Prior to version 1.13.9, a stored cross-site scripting XSS vulnerability exists in the OpenAPI documentation generation of orpc. If an attacker can control any field within the OpenAPI specificati...

oRPC has Stored XSS in OpenAPI Reference Plugin via unescaped JSON.stringify

A Stored Cross-Site Scripting XSS vulnerability exists in the OpenAPI documentation generation of orpc. If an attacker can control any field within the OpenAPI specification such as info.description, they can break out of the JSON context and execute arbitrary JavaScript when a user views the...

PT-2026-26754

Name of the Vulnerable Software and Affected Versions orpc versions prior to 1.13.9 Description orpc, a tool for building type-safe APIs adhering to OpenAPI standards, contains a stored cross-site scripting XSS issue in its OpenAPI documentation generation. An attacker controlling fields within t...

com.codbex.atlas:codbex-atlas-application (>=2.62.0 <=2.107.0), com.codbex.gaia:codbex-gaia-application (>=2.61.0 <=2.64.0) +22 more potentially affected by CVE-2026-26278 via org.webjars.npm:fast-xml-parser (>=4.5.3 <=5.2.5)

org.webjars.npm:fast-xml-parser MAVEN version =4.5.3, =2.62.0, =2.61.0, =2.52.0, =2.52.0, =2.51.0, =2.51.0, =3.6.0, =2.50.0, =5.0.0, =5.0.0, =11.58.0, =12.2.0, =11.58.0, =11.58.0, =11.48.2, =12.1.0 and more Source cves: CVE-2026-26278 Source advisory: SNYK:JAVA-ORGWEBJARSNPM-15325721...