npm package
@orval/core
pkg:npm/%40orval/core
Vulnerabilities (2)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-25141 | — | >= 7.19.0, < 7.21.0 | 7.21.0 | Jan 30, 2026 | Orval generates type-safe JS clients (TypeScript) from any valid OpenAPI v3 or Swagger v2 specification. Versions starting with 7.19.0 and prior to 7.21.0 and 8.2.0 have an incomplete fix for CVE-2026-23947. While the jsStringEscape function properly handles single quotes ('), do | ||
| CVE-2026-23947 | — | >= 8.0.0-rc.0, < 8.0.2 | 8.0.2 | Jan 20, 2026 | Orval generates type-safe JS clients (TypeScript) from any valid OpenAPI v3 or Swagger v2 specification. Versions prior to 7.19.0 until 8.0.2 are vulnerable to arbitrary code execution in environments consuming generated clients. This issue is similar in nature to CVE-2026-22785, |
- CVE-2026-25141Jan 30, 2026affected >= 7.19.0, < 7.21.0fixed 7.21.0
Orval generates type-safe JS clients (TypeScript) from any valid OpenAPI v3 or Swagger v2 specification. Versions starting with 7.19.0 and prior to 7.21.0 and 8.2.0 have an incomplete fix for CVE-2026-23947. While the jsStringEscape function properly handles single quotes ('), do
- CVE-2026-23947Jan 20, 2026affected >= 8.0.0-rc.0, < 8.0.2fixed 8.0.2
Orval generates type-safe JS clients (TypeScript) from any valid OpenAPI v3 or Swagger v2 specification. Versions prior to 7.19.0 until 8.0.2 are vulnerable to arbitrary code execution in environments consuming generated clients. This issue is similar in nature to CVE-2026-22785,