Description

oRPC is an tool that helps build APIs that are end-to-end type-safe and adhere to OpenAPI standards. Prior to version 1.13.9, a stored cross-site scripting (XSS) vulnerability exists in the OpenAPI documentation generation of orpc. If an attacker can control any field within the OpenAPI specification (such as info.description), they can break out of the JSON context and execute arbitrary JavaScript when a user views the generated API documentation. This issue has been patched in version 1.13.9.

INFO

Published Date :

2026-03-24T19:18:00.164Z

Last Modified :

2026-03-25T13:34:26.196Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-33331 vulnerability.

Vendors Products
Middleapi
  • Orpc
Orpc
  • Orpc
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-33331.

URL Resource
https://github.com/middleapi/orpc/commit/4f0efa8a1d3fa8e8317a4b03cc3945a5dfd68add cve-icon cve-icon
https://github.com/middleapi/orpc/releases/tag/v1.13.9 cve-icon cve-icon
https://github.com/middleapi/orpc/security/advisories/GHSA-7f6v-3gx7-27q8 cve-icon cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact