CVE-2026-23947: Orval has a code injection via unsanitized x-enum-descriptions in enum generation

Arbitrary code execution in environments consuming generated clients

This issue is similar in nature to the recently-patched MCP vulnerability (CVE-2026-22785), but affects a different code path in @orval/core that was not addressed by that fix.

The vulnerability allows untrusted OpenAPI specifications to inject arbitrary TypeScript/JavaScript code into generated clients via the x-enumDescriptions field, which is embedded without proper escaping in getEnumImplementation(). I have confirmed that the injection occurs during const enum generation and results in executable code within the generated schema files.