CVE-2026-1699

EPSS 0.03%
Veröffentlicht 30.01.2026 10:15:56
Zuletzt bearbeitet 30.01.2026 10:15:56
Quelle emo@eclipse.org
CVE-Watchlists
Login
Unerledigt
Login

In the Eclipse Theia Website repository, the GitHub Actions workflow .github/workflows/preview.yml used pull_request_target trigger while checking out and executing untrusted pull request code. This allowed any GitHub user to execute arbitrary code in the repository's CI environment with access to repository secrets and a GITHUB_TOKEN with extensive write permissions (contents:write, packages:write, pages:write, actions:write). An attacker could exfiltrate secrets, publish malicious packages to the eclipse-theia organization, modify the official Theia website, and push malicious code to the repository.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 4

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

HerstellerEclipse Foundation

≫

Produkt Eclipse Theia - Website

Default Statusunaffected

Version < 2fb0cc4bfc372cfaef79feb4eebb6563778b2560

Version 0

Status affected

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.03%	0.068

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
emo@eclipse.org	10	3.9	6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE-829 Inclusion of Functionality from Untrusted Control Sphere

The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere.

https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/332

https://nvd.nist.gov/vuln/detail/CVE-2026-1699

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-1699

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-1699

EUVD