CVE-2026-33331

HIGH

oRPC: Stored XSS in OpenAPI Reference Plugin via unescaped JSON.stringify

Title source: cna

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-33331. PoCs published by abhayclasher.

AI-analyzed exploit summary This repository contains a functional proof-of-concept for CVE-2026-33331, a stored XSS vulnerability in the oRPC OpenAPI Reference Plugin. The exploit demonstrates how an attacker can inject malicious JavaScript into an OpenAPI spec, which is then rendered unsafely in the generated documentation.

Description

oRPC is an tool that helps build APIs that are end-to-end type-safe and adhere to OpenAPI standards. Prior to version 1.13.9, a stored cross-site scripting (XSS) vulnerability exists in the OpenAPI documentation generation of orpc. If an attacker can control any field within the OpenAPI specification (such as info.description), they can break out of the JSON context and execute arbitrary JavaScript when a user views the generated API documentation. This issue has been patched in version 1.13.9.

Exploits (1)

nomisec WORKING POC

by abhayclasher · poc

https://github.com/abhayclasher/CVE-2026-33331

View Code ZIP pw:eip

This repository contains a functional proof-of-concept for CVE-2026-33331, a stored XSS vulnerability in the oRPC OpenAPI Reference Plugin. The exploit demonstrates how an attacker can inject malicious JavaScript into an OpenAPI spec, which is then rendered unsafely in the generated documentation.

Classification

Working Poc 95%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: middleapi/orpc (versions below v1.13.9)

No auth needed

Prerequisites: Node.js 18 or later · Docker (optional)

MITRE ATT&CK

T1059.007 - JavaScript T1189 - Drive-by Compromise

devstral-2 · analyzed Apr 09, 2026 Full analysis →

References (3)

Core 3

Core References

X_Refsource_Confirm x_refsource_confirm

https://github.com/middleapi/orpc/security/advisories/GHSA-7f6v-3gx7-27q8

X_Refsource_Misc x_refsource_misc

https://github.com/middleapi/orpc/commit/4f0efa8a1d3fa8e8317a4b03cc3945a5dfd68add

View Writeup ZIP pw:eip

X_Refsource_Misc x_refsource_misc

https://github.com/middleapi/orpc/releases/tag/v1.13.9

Scores

CVSS v3 8.2

EPSS 0.0002

EPSS Percentile 5.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (3)

middleapi/orpc < 1.13.9

orpc/openapi 0 - 1.13.9npm

orpc/orpc < 1.13.9

Published Mar 24, 2026

Tracked Since Mar 25, 2026