Local File Injection in Open VSX Registry
CVE-2026-13323
What is CVE-2026-13323?
The Open VSX Registry prior to version 1.0.2 presents a serious security issue whereby the /vscode/unpkg/ endpoint improperly serves user-uploaded HTML files with a Content-Type of text/html. This misconfiguration, lacking proper Content-Security-Policy and Content-Disposition headers, allows unauthenticated attackers to exploit the registry. By creating a publisher account, these attackers can upload malicious VSIX files containing crafted HTML. If an authenticated user accesses the generated URL, the browser renders the malicious file inline, leading to potential session token exfiltration and the unauthorized generation of persistent Personal Access Tokens (PATs). Moreover, this issue poses a significant risk of a supply chain attack, affecting numerous downstream users relying on Open VSX extensions for editors like VS Code, VSCodium, and others.
Affected Version(s)
Eclipse Open VSX 0.1.0 < 1.0.2
