11 matches found
CVE-2021-28161
The CVE-2021-28161 entry concerns Eclipse Theia prior to or including version 1.8.0, where the debug console does not escape HTML. This lack of escaping enables injection of arbitrary JavaScript code through the console, constituting a cross-site scripting risk. The vulnerability is tied to Theia...
CVE-2021-28162
The vulnerability CVE-2021-28162 affects Eclipse Theia
CVE-2021-34435
In Eclipse Theia, versions 0.3.9 through 1.8.1 are affected by a vulnerability in the built-in mini-browser extension that previews HTML files in an iframe inside the IDE. The issue arises from how the preview rendering is implemented, enabling a maliciously crafted HTML file viewed in the iframe...
CVE-2021-41038
The CVE-2021-41038 entry concerns the @theia/plugin-ext component of Eclipse Theia (pre-1.18.0). The issue is that Webview contents can be hijacked via postMessage(), caused by improper verification of the communication channel. This mode of exploitation could expose or modify Webview content dep...
CVE-2019-17636
The CVE-2019-17636 entry concerns Eclipse Theia (versions 0.3.9–0.15.0) where the default pre-packaged extension @theia/mini-browser exposes an HTTP endpoint to read arbitrary host filesystem files by path. The described flaw allows remote exploitation via DNS rebinding or drive-by download, enab...
CVE-2020-27224
The CVE-2020-27224 entry affects Eclipse Theia up to version 1.2.0, specifically the Markdown Preview module (@theia/preview). The issue enables arbitrary code execution due to a failure in how external data is processed during code segment construction in the Markdown Preview, leading to a code ...
CVE-2021-34436
The CVE affects Eclipse Theia 0.1.1–0.2.0, where the default build loads the theia-xml-extension (using lsp4xml, recently renamed LemMinX) to provide XML language support. This extension is installed by default, enabling remote code execution and XXE via the XML support component. Connected docum...
CVE-2026-44691
CVE-2026-44691 affects Eclipse Theia versions before 1.69.0. The issue arises when custom task definitions in workspace files (e.g., .theia/tasks.json, .vscode/tasks.json) can be executed without workspace trust, potentially enabling arbitrary commands to run with the user’s privileges if a malic...
CVE-2026-46580
Theia before v1.71.0 loads files matching .prompts/*.prompttemplate from a workspace, allowing attacker-controlled content to override the AI agent’s system prompts (indirect prompt injection). This enables attack chains with untrusted workspaces, potentially causing data exfiltration via Markdow...
CVE-2026-44688
The vulnerability CVE-2026-44688 affects Eclipse Theia versions prior to 1.71.0. The AI chat agent processes workspace file and directory names as part of its prompt context without distinguishing them from system instructions, enabling indirect prompt injection when an attacker uses adversarial ...
CVE-2026-22551
Eclipse Theia versions before 1.71.0 are affected: the AI chat could render Markdown image tags from AI responses, causing HTTP requests to arbitrary external URLs. In combination with a malicious workspace via prompt injection, an attacker could coax the AI agent to construct image URLs that lea...