What is the authoritative source for CVE-2026-24132?

CVE-2026-24132 (CVE-2026-24132) is catalogued in NVD + CISA KEV + FIRST EPSS and curated for EU compliance use cases by SQUR.

How severe is CVE-2026-24132?

CVE-2026-24132 carries a CRITICAL CVSS 9.8 severity rating.

CVE-2026-24132CRITICAL 9.8EPSS p47.4%

CVE-2026-24132CVE-2026-24132

Description

Orval generates type-safe JS clients (TypeScript) from any valid OpenAPI v3 or Swagger v2 specification. Versions 7.19.0 and below and 8.0.0-rc.0 through 8.0.2 allow untrusted OpenAPI specifications to inject arbitrary TypeScript/JavaScript into generated mock files via the const keyword on schema properties. These const values are interpolated into the mock scalar generator (getMockScalar in packages/mock/src/faker/getters/scalar.ts) without proper escaping or type-safe serialization, which results in attacker-controlled code being emitted into both interface definitions and faker/MSW handlers. The vulnerability is similar in impact to the previously reported enum x-enumDescriptions (GHSA-h526-wf6g-67jv), but it affects a different code path in the faker-based mock generator rather than @orval/core. The issue has been fixed in versions 7.20.0 and 8.0.3.

Scoring

CVSS 3.1	9.8 (CRITICAL)
Vector	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS	0.68% probability of exploitation · percentile 47.4% · 2026-06-18T12:00:27Z
Published	2026-01-23
Last modified	2026-02-27

Underlying weaknesses· 2

CWE-77 CWE-94

References

2

Type	Target	Confidence	Tier
Weakness	Improper Neutralization of Special Elements used in a Command ('Command Injection')cwe-77	0%	live
Weakness	Improper Control of Generation of Code ('Code Injection')cwe-94	0%	live