CVE-2026-23947

Name of the Vulnerable Software and Affected Versions Orval versions 7.10.0 through 8.0.2

Description Orval, a tool for generating type-safe JavaScript clients from OpenAPI specifications, is affected by an arbitrary code execution issue. Untrusted OpenAPI specifications can inject arbitrary TypeScript/JavaScript code into generated clients through the x-enumDescriptions field. This injection occurs during const enum generation within the getEnumImplementation() function, resulting in executable code within the generated schema files. This issue is similar to, but distinct from, a previously addressed issue.

Recommendations Update to a version later than 8.0.2.