PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-33331 middleapi CVE debrief

A stored cross-site scripting (XSS) vulnerability in oRPC's OpenAPI documentation generation allows attackers with control over OpenAPI specification fields (such as info.description) to inject arbitrary JavaScript that executes when users view generated API documentation. The vulnerability stems from improper sanitization when rendering OpenAPI specification content, enabling JSON context breakout and script execution. This affects all versions prior to 1.13.9. The CVSS 3.1 vector indicates network attack vector, low attack complexity, no privileges required, user interaction required, changed scope, high confidentiality impact, low integrity impact, and no availability impact. The issue was patched in version 1.13.9 with a commit addressing the sanitization flaw. No known exploitation in ransomware campaigns has been reported.

Vendor
middleapi
Product
orpc
CVSS
HIGH 8.2
CISA KEV
Not listed in stored evidence
Original CVE published
2026-03-24
Original CVE updated
2026-06-01
Advisory published
2026-03-24
Advisory updated
2026-06-01

Who should care

Organizations using oRPC to generate API documentation, particularly those exposing OpenAPI documentation interfaces to internal or external users. Development teams relying on oRPC's type-safe API builder with OpenAPI compliance. Security teams monitoring for XSS vulnerabilities in developer tooling and API infrastructure.

Technical summary

The oRPC framework's OpenAPI documentation generator fails to properly sanitize specification fields before rendering them in a web context. An attacker who can influence any field within the OpenAPI specification—demonstrated with info.description but potentially applicable to other fields—can craft input that breaks out of the intended JSON context and injects executable JavaScript. When a victim views the generated API documentation, the malicious script executes in their browser. This is classified as stored XSS because the payload persists in the generated documentation. The vulnerability requires user interaction (a victim viewing the documentation) and can lead to high confidentiality impact through session hijacking or credential theft, with low integrity impact from potential unauthorized actions performed via the victim's session. The fix in version 1.13.9 implements proper sanitization to prevent JSON context breakout and script injection.

Defensive priority

HIGH

Recommended defensive actions

  • Upgrade oRPC to version 1.13.9 or later to remediate the stored XSS vulnerability in OpenAPI documentation generation.
  • Review any custom OpenAPI specification fields (including info.description, titles, summaries, and other user-controllable content) for injected payloads if running affected versions prior to patching.
  • Validate and sanitize all user-controllable input that feeds into OpenAPI specification generation, applying output encoding appropriate for JSON and HTML contexts.
  • Monitor generated API documentation access logs for anomalous patterns that may indicate exploitation attempts.
  • If immediate patching is not feasible, consider restricting access to generated OpenAPI documentation interfaces to trusted administrative users only.

Evidence notes

CVE published 2026-03-24; modified 2026-06-01. Vendor advisory and patch released via GitHub Security Advisories. CPE criteria confirms affected product as orpc:orpc with versions before 1.13.9. CWE-79 (Improper Neutralization of Input During Web Page Generation) identified as secondary weakness.

Official resources

2026-03-24T20:16:28.547Z