Lucene search
K

5 matches found

CVE
CVE
added 2021/11/10 5:5 p.m.59 views

CVE-2021-41038

The CVE-2021-41038 entry concerns the @theia/plugin-ext component of Eclipse Theia (pre-1.18.0). The issue is that Webview contents can be hijacked via postMessage(), caused by improper verification of the communication channel. This mode of exploitation could expose or modify Webview content dep...

6.1CVSS6.1AI score0.00713EPSS
CVE
CVE
added 2026/06/18 2:35 p.m.25 views

CVE-2026-44691

CVE-2026-44691 affects Eclipse Theia versions before 1.69.0. The issue arises when custom task definitions in workspace files (e.g., .theia/tasks.json, .vscode/tasks.json) can be executed without workspace trust, potentially enabling arbitrary commands to run with the user’s privileges if a malic...

8.8CVSS5.8AI score0.00231EPSS
CVE
CVE
added 2026/06/18 2:26 p.m.19 views

CVE-2026-46580

Theia before v1.71.0 loads files matching .prompts/*.prompttemplate from a workspace, allowing attacker-controlled content to override the AI agent’s system prompts (indirect prompt injection). This enables attack chains with untrusted workspaces, potentially causing data exfiltration via Markdow...

8.8CVSS5.7AI score0.00272EPSS
CVE
CVE
added 2026/06/18 2:32 p.m.18 views

CVE-2026-22551

Eclipse Theia versions before 1.71.0 are affected: the AI chat could render Markdown image tags from AI responses, causing HTTP requests to arbitrary external URLs. In combination with a malicious workspace via prompt injection, an attacker could coax the AI agent to construct image URLs that lea...

6.7CVSS5.5AI score0.00181EPSS
CVE
CVE
added 2026/06/18 2:22 p.m.18 views

CVE-2026-44688

The vulnerability CVE-2026-44688 affects Eclipse Theia versions prior to 1.71.0. The AI chat agent processes workspace file and directory names as part of its prompt context without distinguishing them from system instructions, enabling indirect prompt injection when an attacker uses adversarial ...

8.8CVSS5.7AI score0.00272EPSS