Stored Cross-Site Scripting in Open VSX Registry Extension Icons
CVE-2026-4983

4.1MEDIUM

Key Information:

Vendor: Eclipse Foundation
Status: Eclipse Open Vsx
Vendor: CVE Published:; 23 June 2026

🔔 Create Eclipse Foundation Vulnerability Alert

What is CVE-2026-4983?

The Open VSX Registry has a significant vulnerability whereby it fails to properly sanitize SVG files that are uploaded as extension icons. This oversight allows malicious actors to upload SVGs designed to execute harmful scripts when users access these icons. The applications serve these SVG files with the MIME type image/svg+xml but without essential security headers such as Content-Security-Policy or Content-Disposition: attachment. In scenarios where local storage is utilized, this can lead to execution of scripts within the application’s origin, facilitating potential session hijacking and unauthorized access to user credentials. Even in configurations utilizing external storage, while the risk may be mitigated, attackers can still exploit this vulnerability for phishing attacks and credential harvesting, showcasing a critical gap in the security protocol of the Open VSX Registry.

Affected Version(s)

Eclipse Open VSX 0.1.0 < 0.34.1

References

https://gitlab.eclipse.org/security/cve-assignment/-/work...

CVSS V3.1

Score:

4.1

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 23, 2026
Vulnerability Reserved
Mar 27, 2026

Credit

Golan Myers

CVE-2026-4983 Data

JSON