CVE-2026-33331

Name of the Vulnerable Software and Affected Versions orpc versions prior to 1.13.9

Description orpc, a tool for building type-safe APIs adhering to OpenAPI standards, contains a stored cross-site scripting (XSS) issue in its OpenAPI documentation generation. An attacker controlling fields within the OpenAPI specification, such as info.description, can inject malicious JavaScript code. This code executes when a user views the generated API documentation. The issue stems from the use of JSON.stringify() without proper HTML escaping when embedding the OpenAPI specification into the HTML response within the renderDocsHtml() function in the packages/openapi/src/plugins/openapi-reference.ts file. Specifically, the lack of escaping allows attackers to break out of the JSON context using payloads like </script><script>... and execute arbitrary JavaScript. The info.description parameter is a key area for exploitation. Impact includes potential session hijacking or unauthorized API calls if an administrator or developer views the compromised documentation.

Recommendations Versions prior to 1.13.9 should be updated to version 1.13.9 or later. Avoid using raw JSON.stringify() to embed data directly into HTML templates. Instead, safely serialize the JSON by escaping HTML-sensitive characters (like < and >) or use a secure HTML serialization library such as serialize-javascript or devalue before embedding it into the <script> tag.