HIGH
middleapi
CVE published 2026-03-24
CVE-2026-33331
A stored cross-site scripting (XSS) vulnerability in oRPC's OpenAPI documentation generation allows attackers with control over OpenAPI specification fields (such as info.description) to inject arbitrary JavaScript that executes when users view generated API documentation. The vulnerability stems from improper sanitization when rendering OpenAPI specification content, enabling JSON context breakout and sc [truncated]