A stored cross-site scripting (XSS) vulnerability exists in oRPC, a tool for building type-safe APIs that adhere to OpenAPI standards. The vulnerability affects versions prior to 1.13.9 and occurs in the OpenAPI documentation generation feature. Attackers who can control any field within the OpenAPI specification (such as info.description) can break out of the JSON context and execute arbitrary JavaScript when users view the generated API documentation. This represents a significant security risk as it allows code execution in users' browsers. The issue has been patched in version 1.13.9, and users should upgrade immediately to mitigate this vulnerability.