Cyber Resilience

CVE-2026-33331

HighPublic PoCUpdated

Published: 24 March 2026

Published
24 March 2026
Modified
01 June 2026
KEV Added
Patch
CVSS Score v3.1 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
EPSS Score 0.0029 20.3th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-33331 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Orpc Orpc. Its CVSS base score is 8.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique JavaScript (T1059.007); ranked at the 20.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2026-33331 is a stored cross-site scripting (XSS) vulnerability, classified under CWE-79, affecting oRPC, a tool for building end-to-end type-safe APIs that adhere to OpenAPI standards. In versions prior to 1.13.9, the vulnerability resides in the OpenAPI documentation generation process, where an attacker can inject malicious payloads into controllable fields of the OpenAPI specification, such as info.description. This allows breakout from the JSON context, enabling arbitrary JavaScript execution when users view the generated API documentation. The issue carries a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N), indicating high severity due to network accessibility, low attack complexity, and significant confidentiality impact with changed scope.

The attack requires an attacker to control any field in the OpenAPI specification, which could occur if the specification is user-supplied, dynamically generated from untrusted inputs, or modified in a shared environment. A remote, unauthenticated attacker (PR:N) can exploit this by crafting a malicious OpenAPI spec that, when processed and viewed in the generated documentation, triggers JavaScript execution in the victim's browser (UI:R). Successful exploitation leads to high confidentiality impact (C:H), such as stealing session cookies, tokens, or sensitive data from the authenticated user viewing the docs, with low integrity impact (I:L) and no availability disruption (A:N).

Mitigation is available via upgrade to oRPC version 1.13.9, where the vulnerability has been patched. Official advisories and resources, including the GitHub security advisory (GHSA-7f6v-3gx7-27q8), release notes for v1.13.9, and the fixing commit (4f0efa8a1d3fa8e8317a4b03cc3945a5dfd68add), detail the resolution and recommend immediate updates for affected deployments.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

oRPC is an tool that helps build APIs that are end-to-end type-safe and adhere to OpenAPI standards. Prior to version 1.13.9, a stored cross-site scripting (XSS) vulnerability exists in the OpenAPI documentation generation of orpc. If an attacker can control…

more

any field within the OpenAPI specification (such as info.description), they can break out of the JSON context and execute arbitrary JavaScript when a user views the generated API documentation. This issue has been patched in version 1.13.9.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
T1189 Drive-by Compromise Initial Access
Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Stored XSS enables arbitrary JavaScript execution (T1059.007) in victim browsers when viewing poisoned OpenAPI docs; this directly supports drive-by compromise (T1189) of users and exploitation of the public-facing API documentation generator (T1190).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-28794Same product: Orpc Orpc
CVE-2025-69003Shared CWE-79
CVE-2026-3220Shared CWE-79
CVE-2024-56069Shared CWE-79
CVE-2026-42224Shared CWE-79
CVE-2026-32526Shared CWE-79
CVE-2024-30547Shared CWE-79
CVE-2025-25165Shared CWE-79
CVE-2025-69367Shared CWE-79
CVE-2026-7332Shared CWE-79

Affected Assets

orpc
orpc
≤ 1.13.9

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Filters output in the generated OpenAPI documentation to prevent breakout from JSON context and execution of arbitrary JavaScript from malicious spec fields.

prevent

Validates inputs to OpenAPI specification fields like info.description to block injection of XSS payloads before documentation generation.

prevent

Remediates the stored XSS flaw by patching oRPC to version 1.13.9 or later, directly addressing the vulnerability in documentation generation.

References