Home / Vulnerability Intelligence / CVE-2026-33331

CVE-2026-33331 - Vulnerability Analysis

HighCVSS: 8.2

Last Updated: March 26, 2026

oRPC - Stored XSS

Published: March 24, 2026Updated: March 26, 2026PoC AvailableRemote Exploitable

Overview

oRPC < 1.13.9 contains a stored XSS caused by improper sanitization of OpenAPI specification fields in documentation generation, letting attackers execute arbitrary JavaScript when users view API docs, exploit requires attacker control of OpenAPI spec fields.

Severity & Score

Severity: High

CVSS Score: 8.2

EPSS Score: 1.1%(Probability of exploitation in next 30 days)

Impact

Attackers can execute arbitrary JavaScript in users' browsers, potentially leading to session hijacking or other client-side attacks.

Mitigation

Update to version 1.13.9 or later.

References

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Mar 24, 2026

🟠 CVE-2026-33331 - High (8.2) oRPC is an tool that helps build APIs that are end-to-end type-safe and adhere to OpenAPI standards. Prior to version 1.13.9, a stored cross-site scripting (XSS) vulnerability exists in the OpenAPI documentation generation of orpc. If an attacker ... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-33331/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-33331
Severity: High
CVSS Score: 8.2
Type: stored_xss
Status: unconfirmed
EPSS: 1.1%
Social Posts: 1

CWE

CWE-79

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N

EPSS Score

1.1%Probability of exploitation in the next 30 days