The vulnerability identified as CVE-2026-33331 is a stored cross-site scripting (XSS) flaw in the middleapi orpc tool, specifically in versions prior to 1.13.9. orpc is a tool designed to build APIs that are end-to-end type-safe and compliant with OpenAPI standards, including automatic generation of API documentation. The flaw exists in the process of generating OpenAPI documentation, where user-controllable fields within the OpenAPI specification—such as the info.description field—are not properly sanitized or neutralized before being embedded into the JSON context of the documentation page. This improper input handling allows an attacker who can supply or manipulate these fields to inject arbitrary JavaScript code. When a legitimate user accesses the generated API documentation, the malicious script executes in their browser context, leading to a stored XSS attack. The vulnerability is classified under CWE-79, indicating improper neutralization of input during web page generation. The CVSS v3.1 base score is 8.2, reflecting a high severity due to network attack vector, low attack complexity, no privileges required, but requiring user interaction. The impact is primarily on confidentiality, with limited integrity impact and no availability impact. The vulnerability has been addressed and patched in orpc version 1.13.9. There are no known exploits in the wild as of the publication date.

This vulnerability poses a significant risk to organizations using orpc versions prior to 1.13.9 for API development and documentation. Successful exploitation can lead to the execution of arbitrary JavaScript in the context of the API documentation viewer's browser, potentially exposing sensitive information such as authentication tokens, session cookies, or other confidential data accessible via the browser. This can facilitate further attacks like session hijacking, phishing, or unauthorized access to backend systems. Since the attack requires no authentication and can be triggered simply by viewing the compromised documentation, the attack surface is broad, especially in environments where API documentation is publicly accessible or shared widely among developers and partners. The scope includes any organization leveraging orpc for API documentation generation, which may include software development firms, enterprises with internal or external APIs, and cloud service providers. The lack of availability impact means systems remain operational, but confidentiality breaches can have severe business and compliance consequences. The absence of known exploits in the wild suggests proactive patching can prevent exploitation.

Organizations should immediately upgrade orpc to version 1.13.9 or later, where this vulnerability has been patched. Until upgrading is possible, restrict access to the OpenAPI documentation generated by orpc to trusted users only, minimizing exposure to potential attackers. Implement strict input validation and sanitization on all fields within the OpenAPI specification, especially those that can be user-controlled, to prevent injection of malicious scripts. Employ Content Security Policy (CSP) headers on the documentation web pages to restrict execution of unauthorized scripts and reduce the impact of potential XSS attacks. Regularly audit and review API documentation content for unexpected or suspicious inputs. Educate developers and API consumers about the risks of interacting with untrusted API documentation sources. Monitor logs and network traffic for unusual activity related to API documentation access. Finally, integrate security testing into the API development lifecycle to detect similar vulnerabilities early.