CNNVD-202601-3977 Information
CNNVD ID
CNNVD-202601-3977
Related CVE
- CNNVD Published: 2026-01-23
Description (Chinese)
Orval是Orval开源的一个接口开发工具。 Orval 7.19.0及之前版本和8.0.0-rc.0至8.0.2版本存在命令注入漏洞,该漏洞源于未受信任的OpenAPI规范可通过const关键字注入任意TypeScript/JavaScript代码,可能导致攻击者控制的代码被注入。
Description (English)
Orval is an interface development tool for the Open Source of Orval. Orval 7.19.0 and previous versions and 8.0.0-rc.0 to 8.0.2 contain command-injecting loopholes, which stem from the untrusted OpenAPI code that can be injected with an arbitrary TypeScript/JavaScript code by means of a key word that may lead to the injection of an attacker-controlled code.
Hazard Level
Low
Vulnerability Type
命令注入
Affected Vendor
Orval
Published
2026-01-23
Last Modified
2026-02-24
References
https://github.com/orval-labs/orval/commit/44ca8c1f5f930a3e4cefb6b79b38bcde7f8532a5 https://github.com/orval-labs/orval/commit/6d8ece07ccb80693ad43edabccb3957aceadcd06 https://github.com/orval-labs/orval/commit/9b211cddc9f009f8a671e4ac5c6cb72cd8646b62 https://github.com/orval-labs/orval/pull/2828 https://github.com/orval-labs/orval/pull/2829 https://github.com/orval-labs/orval/pull/2830 https://github.com/orval-labs/orval/releases/tag/v7.20.0 https://github.com/orval-labs/orval/releases/tag/v8.0.3 https://github.com/orval-labs/orval/security/advisories/GHSA-f456-rf33-4626 https://access.redhat.com/security/cve/cve-2026-24132