{"url":"http://public2.vulnerablecode.io/api/packages/73531?format=json","purl":"pkg:npm/%40orval/core@8.0.2","type":"npm","namespace":"@orval","name":"core","version":"8.0.2","qualifiers":{},"subpath":"","is_vulnerable":false,"next_non_vulnerable_version":"8.2.0","latest_non_vulnerable_version":"8.2.0","affected_by_vulnerabilities":[],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/49788?format=json","vulnerability_id":"VCID-q8dj-x4cp-fyd6","summary":"Orval has a code injection via unsanitized x-enum-descriptions in enum generation\nArbitrary code execution in environments consuming generated clients\n\nThis issue is similar in nature to the recently-patched MCP vulnerability (CVE-2026-22785), but affects a different code path in @orval/core that was not addressed by that fix.\n\nThe vulnerability allows untrusted OpenAPI specifications to inject arbitrary TypeScript/JavaScript code into generated clients via the x-enumDescriptions field, which is embedded without proper escaping in getEnumImplementation(). I have confirmed that the injection occurs during const enum generation and results in executable code within the generated schema files.","references":[{"reference_url":"https://github.com/orval-labs/orval","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/orval-labs/orval"},{"reference_url":"https://github.com/orval-labs/orval/commit/9e5d93533904936678ba93b5d20f6bca176a4e1e","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/orval-labs/orval/commit/9e5d93533904936678ba93b5d20f6bca176a4e1e"},{"reference_url":"https://github.com/orval-labs/orval/releases/tag/v8.0.2","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/orval-labs/orval/releases/tag/v8.0.2"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-23947","reference_id":"CVE-2026-23947","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-23947"},{"reference_url":"https://github.com/advisories/GHSA-h526-wf6g-67jv","reference_id":"GHSA-h526-wf6g-67jv","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-h526-wf6g-67jv"},{"reference_url":"https://github.com/orval-labs/orval/security/advisories/GHSA-h526-wf6g-67jv","reference_id":"GHSA-h526-wf6g-67jv","reference_type":"","scores":[],"url":"https://github.com/orval-labs/orval/security/advisories/GHSA-h526-wf6g-67jv"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/73531?format=json","purl":"pkg:npm/%40orval/core@8.0.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540orval/core@8.0.2"}],"aliases":["CVE-2026-23947","GHSA-h526-wf6g-67jv"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-q8dj-x4cp-fyd6"}],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540orval/core@8.0.2"}