CVE-2026-22785
CRITICAL EPSS 48.9%
Published Jan 12, 20265mo ago · Modified Jun 17, 20262w ago
9.3 CVSS 4.0
Published Jan 12, 2026 5mo ago
Last Modified Jun 17, 2026 2w ago
Description
orval generates type-safe JS clients (TypeScript) from any valid OpenAPI v3 or Swagger v2 specification. Prior to 7.18.0, the MCP server generation logic relies on string manipulation that incorporates the summary field from the OpenAPI specification without proper validation or escaping. This allows an attacker to "break out" of the string literal and inject arbitrary code. This vulnerability is fixed in 7.18.0.
CVSS Details
Base Score
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope X
Threat Intelligence
EPSS Exploit Probability
48.9% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available
Weaknesses 1
CWE-77 Command Injection Injection
Affected Products 1
| Vendor | Product | Version | Range |
|---|---|---|---|
| orval | orval | * | <7.18.0 |
References 2
- github.com https://github.com/orval-labs/orval/commit/80b5fe73b94f120a3a5561952d6d4b0f8d7e928d
- github.com https://github.com/orval-labs/orval/security/advisories/GHSA-mwr6-3gp8-9jmj
Remediation
- github.com https://github.com/orval-labs/orval/commit/80b5fe73b94f120a3a5561952d6d4b0f8d7e928d