Skip to main content

Eclipse Open VSX CVE-2026-13323

| EUVDEUVD-2026-40945 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-07-01 eclipse GHSA-f3mc-x4vf-jrw2
8.7
CVSS 3.1 · NVD
Share

Severity by source

Vendor (eclipse) PRIMARY
MEDIUM
qualitative
NVD
8.7 HIGH
AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
vuln.today AI
8.7 HIGH

Network-reachable, low-complexity stored XSS needing only a self-service publisher account (PR:L) and victim interaction (UI:R); executes in the trusted origin so S:C with high C/I, no availability impact.

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N
Red Hat
5.4 MEDIUM
qualitative

Primary rating from Vendor (eclipse).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

10
Analysis Updated
Jul 06, 2026 - 21:40 vuln.today
v5 (cvss_changed)
Analysis Updated
Jul 06, 2026 - 21:39 vuln.today
v4 (cvss_changed)
Analysis Updated
Jul 06, 2026 - 21:38 vuln.today
v3 (cvss_changed)
Source Code Evidence Fetched
Jul 06, 2026 - 21:37 vuln.today
Analysis Updated
Jul 06, 2026 - 21:37 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jul 06, 2026 - 20:37 vuln.today
cvss_changed
Severity Changed
Jul 06, 2026 - 20:37 NVD
MEDIUM HIGH
CVSS changed
Jul 06, 2026 - 20:37 NVD
4.1 (MEDIUM) 8.7 (HIGH)
Patch available
Jul 01, 2026 - 13:01 EUVD
Analysis Generated
Jul 01, 2026 - 12:21 vuln.today

DescriptionNVD

In Open VSX Registry before 1.0.2, the /vscode/unpkg/ endpoint serves user-supplied HTML files with Content-Type: text/html and without a Content-Security-Policy or Content-Disposition: attachment response header. An unauthenticated attacker can register a publisher account, upload a VSIX containing a crafted HTML payload, and induce an authenticated user to visit the resulting URL. The browser renders the file inline in the open-vsx.org origin context, enabling session token exfiltration, persistent Personal Access Token (PAT) generation, and unauthorized publication of malicious extension versions. Because Open VSX extensions are distributed to VS Code, VSCodium, Cursor, Windsurf, and compatible editors, a compromised extension update constitutes a supply chain attack against all downstream users.

AnalysisAI

Stored cross-site scripting in Eclipse Open VSX Registry (versions 0.1.0 through before 1.0.2) allows an attacker who self-registers a publisher account to upload a VSIX containing malicious HTML that the /vscode/unpkg/ endpoint serves inline as text/html within the open-vsx.org origin, with no Content-Security-Policy or Content-Disposition: attachment header. When a logged-in victim is lured to the resulting URL, the script runs in the registry's origin and can steal session tokens, mint Personal Access Tokens, and publish trojanized extension versions - turning a single XSS into a supply-chain compromise of VS Code, VSCodium, Cursor, and Windsurf users. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Register publisher account on Open VSX
Delivery
Upload VSIX with crafted HTML asset
Exploit
Lure authenticated user to /vscode/unpkg/ URL
Install
Script executes in open-vsx.org origin
C2
Exfiltrate session token and mint PAT
Execute
Publish trojanized extension update
Impact
Supply-chain compromise of downstream editors

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to hold a publisher account (self-registerable without prior authorization) and to upload a VSIX whose payload is an HTML file served through the /vscode/unpkg/ asset endpoint, which returns Content-Type: text/html inline with no CSP and no Content-Disposition: attachment. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The signals are mixed and point to high potential impact but low current urgency. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers a free publisher account on open-vsx.org, publishes an innocuous-looking extension whose VSIX bundles a crafted HTML file, then shares the /vscode/unpkg/ URL for that file with a targeted maintainer (e.g. via a bug report or forum post). …
Remediation Vendor-released patch: upgrade Eclipse Open VSX to 1.0.2 or later, which is the fixed version per the EUVD range and the upstream fix in https://github.com/eclipse-openvsx/openvsx/pull/1922 (self-hosted operators should redeploy from the 1.0.2 release). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Audit your organization's use of VS Code, VSCodium, Cursor, and Windsurf, and verify which systems pull extensions from open-vsx.org. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

Share

CVE-2026-13323 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy