Local File Injection in Open VSX Registry
CVE-2026-13323

4.1MEDIUM

Key Information:

Vendor
CVE Published:
1 July 2026

What is CVE-2026-13323?

The Open VSX Registry prior to version 1.0.2 presents a serious security issue whereby the /vscode/unpkg/ endpoint improperly serves user-uploaded HTML files with a Content-Type of text/html. This misconfiguration, lacking proper Content-Security-Policy and Content-Disposition headers, allows unauthenticated attackers to exploit the registry. By creating a publisher account, these attackers can upload malicious VSIX files containing crafted HTML. If an authenticated user accesses the generated URL, the browser renders the malicious file inline, leading to potential session token exfiltration and the unauthorized generation of persistent Personal Access Tokens (PATs). Moreover, this issue poses a significant risk of a supply chain attack, affecting numerous downstream users relying on Open VSX extensions for editors like VS Code, VSCodium, and others.

Affected Version(s)

Eclipse Open VSX 0.1.0 < 1.0.2

References

CVSS V3.1

Score:
4.1
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Golan Myers
.