Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in
🔥 Daily Hot!
💪🏽 CPE Enhanced Advisories
🕶 Shadow Exploits
🕵🏼 Vulners CPE
🔐 Security news
💻 Exploit updates
📑 Blogs review
🐧 Linux vulnerabilities
🐞 Bugbounty
🤖 AI High Score
📰 CVE Feed
show all

3 matches found

CVE
CVEadded 2026/01/20 12:19 a.m.26 views

CVE-2026-23947

CVE-2026-23947 / CVE-2026-25141 affect Orval’s OpenAPI JS client generator. Vulnerable in versions prior to 7.21.0 (and 8.2.0) with incomplete/patchy fixes; an attacker can inject arbitrary code via x-enumDescriptions during const enum generation, leading to code execution in generated clients. T...

9.8CVSS6.3AI score0.0005EPSS
Exploits1References2Affected Software1
Cvelist
Cvelistadded 2026/01/20 12:19 a.m.14 views

CVE-2026-23947 Orval MCP client is vulnerable to code injection via unsanitized x-enum-descriptions in enum generation

Orval generates type-safe JS clients TypeScript from any valid OpenAPI v3 or Swagger v2 specification. Versions prior to 7.19.0 until 8.0.2 are vulnerable to arbitrary code execution in environments consuming generated clients. This issue is similar in nature to CVE-2026-22785, but affects a...

9.3CVSS0.0005EPSS
Exploits1References2
Github Security Blog
Github Security Blogadded 2026/01/13 7:12 p.m.10 views

orval MCP client is vulnerable to a code injection attack.

Impact The MCP server generation logic relies on string manipulation that incorporates the summary field from the OpenAPI specification without proper validation or escaping. This allows an attacker to "break out" of the string literal and inject arbitrary code. Here is an example OpenAPI with th...

9.8CVSS6.9AI score0.00042EPSS
Exploits2References4Affected Software1
Rows per page
Query Builder