Home > Vulnerability Database > CVE-2026-22785

Mend.io Vulnerability Database

CVE-2026-22785

Good to know:

Date: January 12, 2026

orval generates type-safe JS clients (TypeScript) from any valid OpenAPI v3 or Swagger v2 specification. Prior to 7.18.0, the MCP server generation logic relies on string manipulation that incorporates the summary field from the OpenAPI specification without proper validation or escaping. This allows an attacker to "break out" of the string literal and inject arbitrary code. This vulnerability is fixed in 7.18.0.

Severity Score

9.8

Related Resources (5)

Url: https://github.com/orval-labs/orval/security/advisories/GHSA-mwr6-3gp8-9jmj

Url: https://github.com/orval-labs/orval

Url: https://github.com/orval-labs/orval/commit/80b5fe73b94f120a3a5561952d6d4b0f8d7e928d

Url: https://nvd.nist.gov/vuln/detail/CVE-2026-22785

Url: https://www.mend.io/vulnerability-database/CVE-2026-22785

Severity Score

9.8

Weakness Type (CWE)

Improper Neutralization of Special Elements used in a Command ('Command Injection')

CWE-77

Top Fix

Upgrade Version

Upgrade to version @orval/mcp - 7.18.0;@orval/mcp - 7.18.0

Learn More

CVSS v3.1

Base Score:	9.8
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2026-22785

Good to know:

Date: January 12, 2026

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?