VYPR

Orval

by Orval Labs

Source repositories

CVEs (4)

  • CVE-2026-25141Jan 30, 2026
    risk 0.00cvss epss 0.01

    Orval generates type-safe JS clients (TypeScript) from any valid OpenAPI v3 or Swagger v2 specification. Versions starting with 7.19.0 and prior to 7.21.0 and 8.2.0 have an incomplete fix for CVE-2026-23947. While the jsStringEscape function properly handles single quotes ('),…

  • CVE-2026-24132Jan 22, 2026
    risk 0.00cvss epss 0.01

    Orval generates type-safe JS clients (TypeScript) from any valid OpenAPI v3 or Swagger v2 specification. Versions 7.19.0 and below and 8.0.0-rc.0 through 8.0.2 allow untrusted OpenAPI specifications to inject arbitrary TypeScript/JavaScript into generated mock files via the…

  • CVE-2026-23947Jan 20, 2026
    risk 0.00cvss epss 0.01

    Orval generates type-safe JS clients (TypeScript) from any valid OpenAPI v3 or Swagger v2 specification. Versions prior to 7.19.0 until 8.0.2 are vulnerable to arbitrary code execution in environments consuming generated clients. This issue is similar in nature to…

  • CVE-2026-22785Jan 12, 2026
    risk 0.00cvss epss 0.01

    orval generates type-safe JS clients (TypeScript) from any valid OpenAPI v3 or Swagger v2 specification. Prior to 7.18.0, the MCP server generation logic relies on string manipulation that incorporates the summary field from the OpenAPI specification without proper validation or…