CVE-2026-25141: Orval has Code Injection via unsanitized x-enum-descriptions using JS comments
(updated )
CVE-2026-23947 had an incomplete fix
References
- github.com/advisories/GHSA-gch2-phqh-fg9q
- github.com/orval-labs/orval
- github.com/orval-labs/orval/blob/02211fc413524be340ba9ace866a2ef68845ca7c/packages/core/src/utils/string.ts
- github.com/orval-labs/orval/releases/tag/v7.21.0
- github.com/orval-labs/orval/releases/tag/v8.2.0
- github.com/orval-labs/orval/security/advisories/GHSA-gch2-phqh-fg9q
- github.com/orval-labs/orval/security/advisories/GHSA-h526-wf6g-67jv
- nvd.nist.gov/vuln/detail/CVE-2026-25141
Code Behaviors & Features
Detect and mitigate CVE-2026-25141 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →