CVE-2026-13323
- EPSS 0.19%
- Veröffentlicht 01.07.2026 11:28:20
- Zuletzt bearbeitet 06.07.2026 20:33:10
In Open VSX Registry before 1.0.2, the /vscode/unpkg/ endpoint serves user-supplied HTML files with Content-Type: text/html and without a Content-Security-Policy or Content-Disposition: attachment response header. An unauthenticated attacker can regi...
CVE-2026-4983
- EPSS 0.23%
- Veröffentlicht 23.06.2026 10:50:38
- Zuletzt bearbeitet 24.06.2026 16:55:25
Open VSX Registry does not sanitize SVG files uploaded as extension icons prior to storage, and serves them with Content-Type: image/svg+xml without security headers such as Content-Security-Policy or Content-Disposition: attachment. This allows an a...
CVE-2025-6705
- EPSS 0.22%
- Veröffentlicht 27.06.2025 14:57:06
- Zuletzt bearbeitet 31.07.2025 16:12:02
A vulnerability in the Eclipse Open VSX Registry’s automated publishing system could have allowed unauthorized uploads of extensions. Specifically, the system’s build scripts were executed without proper isolation, potentially exposing a privileged t...
CVE-2025-1007
- EPSS 0.47%
- Veröffentlicht 19.02.2025 09:15:10
- Zuletzt bearbeitet 31.07.2025 12:44:45
In OpenVSX version v0.9.0 to v0.20.0, the /user/namespace/{namespace}/details API allows a user to edit all namespace details, even if the user is not a namespace Owner or Contributor. The details include: name, description, website, support link...