Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:npm/%40orpc/openapi@0.0.0-next.eb3d98a

Type npm

Namespace @orpc

Name openapi

Version 0.0.0-next.eb3d98a

Qualifiers

Subpath

Is_vulnerable true

Next_non_vulnerable_version 1.13.9

Latest_non_vulnerable_version 1.13.9

Affected_by_vulnerabilities

url VCID-4sj6-hrv6-pqc1

vulnerability_id VCID-4sj6-hrv6-pqc1

summary oRPC is an tool that helps build APIs that are end-to-end type-safe and adhere to OpenAPI standards. Prior to version 1.13.9, a stored cross-site scripting (XSS) vulnerability exists in the OpenAPI documentation generation of orpc. If an attacker can control any field within the OpenAPI specification (such as info.description), they can break out of the JSON context and execute arbitrary JavaScript when a user views the generated API documentation. This issue has been patched in version 1.13.9.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-33331

reference_id

reference_type

scores

value	0.00018
scoring_system	epss
scoring_elements	0.05142
published_at	2026-06-11T12:55:00Z

value	0.00018
scoring_system	epss
scoring_elements	0.05135
published_at	2026-06-14T12:55:00Z

value	0.00018
scoring_system	epss
scoring_elements	0.05153
published_at	2026-06-12T12:55:00Z

value	0.00018
scoring_system	epss
scoring_elements	0.05143
published_at	2026-06-13T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-33331

reference_url

https://github.com/middleapi/orpc

reference_id

reference_type

scores

value	8.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/middleapi/orpc

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-33331

reference_id

reference_type

scores

value	8.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-33331

reference_url

https://github.com/middleapi/orpc/commit/4f0efa8a1d3fa8e8317a4b03cc3945a5dfd68add

reference_id

4f0efa8a1d3fa8e8317a4b03cc3945a5dfd68add

reference_type

scores

value	8.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:34:21Z/

url

https://github.com/middleapi/orpc/commit/4f0efa8a1d3fa8e8317a4b03cc3945a5dfd68add

reference_url

https://github.com/advisories/GHSA-7f6v-3gx7-27q8

reference_id

GHSA-7f6v-3gx7-27q8

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-7f6v-3gx7-27q8

reference_url

https://github.com/middleapi/orpc/security/advisories/GHSA-7f6v-3gx7-27q8

reference_id

GHSA-7f6v-3gx7-27q8

reference_type

scores

value	8.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:34:21Z/

url

https://github.com/middleapi/orpc/security/advisories/GHSA-7f6v-3gx7-27q8

reference_url

https://github.com/middleapi/orpc/releases/tag/v1.13.9

reference_id

v1.13.9

reference_type

scores

value	8.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:34:21Z/

url

https://github.com/middleapi/orpc/releases/tag/v1.13.9

fixed_packages

url	pkg:npm/%40orpc/openapi@1.13.9
purl	pkg:npm/%40orpc/openapi@1.13.9
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:npm/%2540orpc/openapi@1.13.9

aliases CVE-2026-33331, GHSA-7f6v-3gx7-27q8

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-4sj6-hrv6-pqc1

Fixing_vulnerabilities

Risk_score 4.0

Resource_url http://public2.vulnerablecode.io/packages/pkg:npm/%2540orpc/openapi@0.0.0-next.eb3d98a

Package Instance