CVE-2026-22785

Name of the Vulnerable Software and Affected Versions orval versions prior to 7.18.0

Description orval generates type-safe JS clients (TypeScript) from OpenAPI specifications. Before version 7.18.0, the server generation logic in the MCP component used string manipulation on the summary field from the OpenAPI specification without sufficient validation or escaping. This allows for the injection of arbitrary code by exploiting a string literal breakout. The summary field is a part of the OpenAPI specification used to provide a brief description of an operation.

Recommendations Update to version 7.18.0 or later.