In Eclipse Theia versions up to and including 0.16.0, in the notification messages there is no HTML escaping, so Javascript code can run.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NEclipse Theia
APPEclipse≤ 0.16.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Related vulnerabilities
CVE-2021-34436CRITICAL9.8ten sam produkt
In Eclipse Theia 0.1.1 to 0.2.0, it is possible to exploit the default build to obtain remote code execution (...
CVE-2020-27224CRITICAL9.6ten sam produkt
In Eclipse Theia versions up to and including 1.2.0, the Markdown Preview (@theia/preview), can be exploited t...
CVE-2026-44688HIGH8.4ten sam produkt
In Eclipse Theia versions prior to 1.71.0, the AI chat agent processed workspace file and directory names as p...
CVE-2026-46580HIGH8.4ten sam produkt
In Eclipse Theia versions prior to 1.71.0, files matching the pattern .prompts/*.prompttemplate in a workspace...
CVE-2026-44691HIGH8.4ten sam produkt
In Eclipse Theia versions prior to 1.69.0, custom task definitions in workspace files (e.g. .theia/tasks.json,...