8 matches found
CVE-2026-28794
oRPC is an tool that helps build APIs that are end-to-end type-safe and adhere to OpenAPI standards. Prior to version 1.13.6, a prototype pollution vulnerability exists in the RPC JSON deserializer of the @orpc/client package. The vulnerability allows unauthenticated, remote attackers to inject...
CVE-2026-28794
oRPC is an tool that helps build APIs that are end-to-end type-safe and adhere to OpenAPI standards. Prior to version 1.13.6, a prototype pollution vulnerability exists in the RPC JSON deserializer of the @orpc/client package. The vulnerability allows unauthenticated, remote attackers to inject...
CVE-2026-28794 oRPC: Prototype Pollution in `@orpc/client` via `StandardRPCJsonSerializer` Deserialization
oRPC is an tool that helps build APIs that are end-to-end type-safe and adhere to OpenAPI standards. Prior to version 1.13.6, a prototype pollution vulnerability exists in the RPC JSON deserializer of the @orpc/client package. The vulnerability allows unauthenticated, remote attackers to inject...
CVE-2026-28794 oRPC: Prototype Pollution in `@orpc/client` via `StandardRPCJsonSerializer` Deserialization
oRPC is an tool that helps build APIs that are end-to-end type-safe and adhere to OpenAPI standards. Prior to version 1.13.6, a prototype pollution vulnerability exists in the RPC JSON deserializer of the @orpc/client package. The vulnerability allows unauthenticated, remote attackers to inject...
CVE-2026-28794 oRPC: Prototype Pollution in `@orpc/client` via `StandardRPCJsonSerializer` Deserialization
oRPC is an tool that helps build APIs that are end-to-end type-safe and adhere to OpenAPI standards. Prior to version 1.13.6, a prototype pollution vulnerability exists in the RPC JSON deserializer of the @orpc/client package. The vulnerability allows unauthenticated, remote attackers to inject...
Prototype Pollution
Overview @orpc/client is a Affected versions of this package are vulnerable to Prototype Pollution via the deserialize function in StandardRPCJsonSerializer. An attacker can inject arbitrary properties into the global Object.prototype by sending specially crafted payloads containing dangerous...
@amqp-contract/asyncapi (>=0.2.0 <=0.21.0), @bgd-labs/indexer-client (>=1.23.1 <=1.42.1) +37 more potentially affected by CVE-2026-28794 via @orpc/client (>=1.0.0-beta.1 <=1.13.5)
@orpc/client NPM version =1.0.0-beta.1, =0.2.0, =1.23.1, =1.8.6, =0.1.0-beta.20, =0.1.1, =0.1.0, =0.0.0, =1.0.0-beta.2, =1.0.0-beta.1, =1.10.0, =1.13.14 and more Source cves: CVE-2026-28794 Source advisory: SNYK:JS-ORPCCLIENT-15426550...
PT-2026-23000
Name of the Vulnerable Software and Affected Versions orpc versions prior to 1.13.6 @orpc/client versions prior to 1.13.6 Description A critical prototype pollution issue exists in the RPC JSON deserializer of the @orpc/client package. This allows unauthenticated, remote attackers to inject...