Orval Hit by Critical Code-Injection Flaw

The open-source tool Orval, used by developers to generate type-safe clients from OpenAPI specifications, has been hit by a vulnerability that experts rate as critical. According to a security alert published earlier today, the flaw allows for potential code injection and carries a CVSS score of 9.3, indicating severe risk. Security researchers have linked the threat to three identified vulnerabilities: CVE-2026-23947, CVE-2026-23550, and CVE-2026-22785.

The disclosure has raised immediate supply chain concerns, especially for teams integrating Orval into production pipelines. Attackers may exploit the issue during code generation phases, injecting malicious logic into output clients. Industry experts urge users to upgrade to the latest secure version without delay to mitigate exposure.

Those maintaining projects with Orval hit by a vulnerability should check dependency versions immediately. Ignoring the flaw could risk wider system compromise across integrated platforms.

Read the full report at

Supply Chain Alert: Critical Code Injection Flaw (CVSS 9.3) in Orval