CVE-2026-1699

In the Eclipse Theia Website repository, the GitHub Actions workflow .github/workflows/preview.yml used pullrequesttarget trigger while checking out and executing untrusted pull request code. This allowed any GitHub user to execute arbitrary code in the repository's CI environment with access to...

Eclipse Theia – Website security vulnerabilities

Eclipse Theia - Website is an development environment framework created by the Eclipse Foundation. There is a security vulnerability in Eclipse Theia - Website, which stems from the use of pullrequesttarget triggers in GitHub Actions workflows to execute untrusted code. This vulnerability may lea...

EUVD-2021-21091

Malware in sbrugna...

EUVD-2021-1039

Malware in sbrugna...

EUVD-2021-0815

Malware in sbrugna...

EUVD-2021-2115

Malware in sbrugna...

EUVD-2021-0825

Malware in sbrugna...

EUVD-2021-0816

Malware in sbrugna...

EUVD-2021-2403

Malware in sbrugna...

PT-2025-27026 · Undefined · Undefined

🚨 Critical flaw in Open VSX Registry CVE-2025-29182 Malicious extensions could hijack dev environments! ⚠️ 180K+ daily users at risk. Patched now—if you're using Eclipse Theia or any Open VSX-based IDE, update ASAP. CyberSecurity SupplyChain PatchNow...

CVE-2021-34436

In Eclipse Theia 0.1.1 to 0.2.0, it is possible to exploit the default build to obtain remote code execution and XXE via the theia-xml-extension. This extension uses lsp4xml recently renamed to LemMinX in order to provide language support for XML. This is installed by default...

CVE-2021-34435

In Eclipse Theia 0.3.9 to 1.8.1, the "mini-browser" extension allows a user to preview HTML files in an iframe inside the IDE. But with the way it is made it is possible for a previewed HTML file to trigger an RCE. This exploit only happens if a user previews a malicious file...

CVE-2021-28161

In Eclipse Theia versions up to and including 1.8.0, in the debug console there is no HTML escaping, so arbitrary Javascript code can be injected...

CVE-2020-27224

In Eclipse Theia versions up to and including 1.2.0, the Markdown Preview @theia/preview, can be exploited to execute arbitrary code...

CVE-2019-17636

In Eclipse Theia versions 0.3.9 through 0.15.0, one of the default pre-packaged Theia extensions is "Mini-Browser", published as "@theia/mini-browser" on npmjs.com. This extension, for its own needs, exposes a HTTP endpoint that allows to read the content of files on the host's filesystem, given...

Improper Verification of Communication Channel in @theia/plugin-ext

In versions of the @theia/plugin-ext component of Eclipse Theia prior to 1.18.0, Webview contents can be hijacked via postMessage...

CVE-2021-41038

In versions of the @theia/plugin-ext component of Eclipse Theia prior to 1.18.0, Webview contents can be hijacked via postMessage...

CVE-2021-41038

In versions of the @theia/plugin-ext component of Eclipse Theia prior to 1.18.0, Webview contents can be hijacked via postMessage...

Code injection

In versions of the @theia/plugin-ext component of Eclipse Theia prior to 1.18.0, Webview contents can be hijacked via postMessage...

CVE-2021-41038

The CVE-2021-41038 entry concerns the @theia/plugin-ext component of Eclipse Theia (pre-1.18.0). The issue is that Webview contents can be hijacked via postMessage(), caused by improper verification of the communication channel. This mode of exploitation could expose or modify Webview content dep...