CVE-2026-22785

CRITICAL EPSS 48.9%
Published Jan 12, 20265mo ago · Modified Jun 17, 20262w ago
9.3 CVSS 4.0
Critical
Find Similar
Published Jan 12, 2026 5mo ago
Last Modified Jun 17, 2026 2w ago

Description

orval generates type-safe JS clients (TypeScript) from any valid OpenAPI v3 or Swagger v2 specification. Prior to 7.18.0, the MCP server generation logic relies on string manipulation that incorporates the summary field from the OpenAPI specification without proper validation or escaping. This allows an attacker to "break out" of the string literal and inject arbitrary code. This vulnerability is fixed in 7.18.0.

CVSS Details

Base Score
9.3
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope X

Threat Intelligence

EPSS Exploit Probability
48.9% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 1

CWE-77 Command Injection Injection

Affected Products 1

VendorProductVersionRange
orvalorval* <7.18.0

References 2

  • github.com https://github.com/orval-labs/orval/commit/80b5fe73b94f120a3a5561952d6d4b0f8d7e928d
    Patch
  • github.com https://github.com/orval-labs/orval/security/advisories/GHSA-mwr6-3gp8-9jmj
    ExploitVendor Advisory

Remediation

  • github.com https://github.com/orval-labs/orval/commit/80b5fe73b94f120a3a5561952d6d4b0f8d7e928d
    Patch