Home / Vulnerability Intelligence / CVE-2026-33331

CVE-2026-33331 - Vulnerability Analysis

HighCVSS: 8.2

Last Updated: March 24, 2026

oRPC - Stored XSS

Published: March 24, 2026Updated: March 24, 2026Remote Exploitable

Overview

oRPC < 1.13.9 contains a stored XSS caused by improper sanitization of OpenAPI specification fields in documentation generation, letting attackers execute arbitrary JavaScript when users view API docs, exploit requires attacker control of OpenAPI spec fields.

Severity & Score

Severity: High

CVSS Score: 8.2

Impact

Attackers can execute arbitrary JavaScript in users' browsers, potentially leading to session hijacking or other client-side attacks.

Mitigation

Update to version 1.13.9 or later.

References

https://github.com/middleapi/orpc/releases/tag/v1.13.9
https://github.com/middleapi/orpc/security/advisories/GHSA-7f6v-3gx7-27q8
https://github.com/middleapi/orpc/commit/4f0efa8a1d3fa8e8317a4b03cc3945a5dfd68add

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-33331
Severity: High
CVSS Score: 8.2
Type: stored_xss
Status: new

CWE

CWE-79

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N