CVE-2026-4983: CWE-79 Improper neutralization of input during web page generation ('cross-site scripting') in Eclipse Foundation Eclipse Open VSX
CVE-2026-4983 is a stored cross-site scripting (XSS) vulnerability in Eclipse Foundation's Eclipse Open VSX. The vulnerability arises because the Open VSX Registry does not sanitize SVG files uploaded as extension icons and serves them without security headers. This allows attackers to publish extensions with malicious SVG icons that execute scripts when users access the icon URL. On local storage deployments, this can lead to session hijacking and unauthorized extension publishing. On deployments using external storage, script execution is limited to the storage origin but can still enable phishing and credential theft. A patch is available, and the product is a cloud service with vendor-managed remediation.
AI Analysis
Technical Summary
The Open VSX Registry component of Eclipse Open VSX fails to sanitize SVG files uploaded as extension icons before storage and serves them with Content-Type: image/svg+xml without security headers such as Content-Security-Policy or Content-Disposition: attachment. This improper neutralization of input leads to stored cross-site scripting (CWE-79). When a user navigates directly to the malicious SVG icon URL, script execution occurs. In local storage deployments, the script runs within the Open VSX application origin, enabling session hijacking, authentication token theft, and unauthorized extension publishing. In deployments backed by external storage (e.g., S3-backed CDN like open-vsx.org), script execution is confined to the storage origin, reducing impact but still allowing phishing and credential harvesting. The vulnerability affects versions =0.1.0 and >=0.1.0 <0.34.1. The product is a cloud service, and the vendor manages remediation. No known exploits are reported in the wild.
Potential Impact
Exploitation of this vulnerability allows attackers to execute stored cross-site scripting attacks via malicious SVG icons in extensions. On local storage deployments, this can lead to session hijacking, theft of authentication tokens, and unauthorized publishing of extensions. On external storage deployments, the impact is limited to the storage origin, but attackers can still conduct phishing attacks and harvest credentials through crafted pages. The CVSS v3.1 base score is 4.1 (medium severity), reflecting network attack vector, low attack complexity, required privileges, user interaction, and limited impact on integrity without confidentiality or availability loss.
Mitigation Recommendations
Since Eclipse Open VSX is a cloud service, the vendor manages remediation server-side. A patch is available for affected versions. Users and administrators should ensure they are using a patched version (>=0.34.1) or rely on the vendor's updated cloud service. No additional user action is required if using the vendor-hosted service. For self-hosted deployments, upgrade to the fixed version to mitigate the vulnerability.
CVE-2026-4983: CWE-79 Improper neutralization of input during web page generation ('cross-site scripting') in Eclipse Foundation Eclipse Open VSX
Description
CVE-2026-4983 is a stored cross-site scripting (XSS) vulnerability in Eclipse Foundation's Eclipse Open VSX. The vulnerability arises because the Open VSX Registry does not sanitize SVG files uploaded as extension icons and serves them without security headers. This allows attackers to publish extensions with malicious SVG icons that execute scripts when users access the icon URL. On local storage deployments, this can lead to session hijacking and unauthorized extension publishing. On deployments using external storage, script execution is limited to the storage origin but can still enable phishing and credential theft. A patch is available, and the product is a cloud service with vendor-managed remediation.
CVSS v3.1
Score 4.1medium
Affected software
pkg:github/Eclipse Open VSXRun on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The Open VSX Registry component of Eclipse Open VSX fails to sanitize SVG files uploaded as extension icons before storage and serves them with Content-Type: image/svg+xml without security headers such as Content-Security-Policy or Content-Disposition: attachment. This improper neutralization of input leads to stored cross-site scripting (CWE-79). When a user navigates directly to the malicious SVG icon URL, script execution occurs. In local storage deployments, the script runs within the Open VSX application origin, enabling session hijacking, authentication token theft, and unauthorized extension publishing. In deployments backed by external storage (e.g., S3-backed CDN like open-vsx.org), script execution is confined to the storage origin, reducing impact but still allowing phishing and credential harvesting. The vulnerability affects versions =0.1.0 and >=0.1.0 <0.34.1. The product is a cloud service, and the vendor manages remediation. No known exploits are reported in the wild.
Potential Impact
Exploitation of this vulnerability allows attackers to execute stored cross-site scripting attacks via malicious SVG icons in extensions. On local storage deployments, this can lead to session hijacking, theft of authentication tokens, and unauthorized publishing of extensions. On external storage deployments, the impact is limited to the storage origin, but attackers can still conduct phishing attacks and harvest credentials through crafted pages. The CVSS v3.1 base score is 4.1 (medium severity), reflecting network attack vector, low attack complexity, required privileges, user interaction, and limited impact on integrity without confidentiality or availability loss.
Mitigation Recommendations
Since Eclipse Open VSX is a cloud service, the vendor manages remediation server-side. A patch is available for affected versions. Users and administrators should ensure they are using a patched version (>=0.34.1) or rely on the vendor's updated cloud service. No additional user action is required if using the vendor-hosted service. For self-hosted deployments, upgrade to the fixed version to mitigate the vulnerability.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- eclipse
- Date Reserved
- 2026-03-27T12:31:27.749Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
- Is Cloud Service
- true
Threat ID: 6a3a7072eed863c81eeb425c
Added to database: 06/23/2026, 11:39:30 UTC
Last enriched: 06/23/2026, 11:54:09 UTC
Last updated: 06/23/2026, 12:01:12 UTC
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.