Eclipse Open Vsx
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Eclipse Open Vsx.
By the Year
In 2026 there have been 0 vulnerabilities in Eclipse Open Vsx. Last year, in 2025 Open Vsx had 2 security vulnerabilities published. Right now, Open Vsx is on track to have less security vulnerabilities in 2026 than it did last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 0 | 0.00 |
| 2025 | 2 | 5.30 |
It may take a day or so for new Open Vsx vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Eclipse Open Vsx Security Vulnerabilities
Eclipse Open VSX: Unauthorized Extension Uploads via Unisolated Build Scripts
CVE-2025-6705
5.3 - Medium
- June 27, 2025
A vulnerability in the Eclipse Open VSX Registrys automated publishing system could have allowed unauthorized uploads of extensions. Specifically, the systems build scripts were executed without proper isolation, potentially exposing a privileged token. This token enabled the publishing of new extension versions under any namespace, including those not controlled by an attacker. However, it did not permit deletion of existing extensions, overwriting of published versions, or access to administrative features of the registry. The issue was reported on May 4, 2025, fully resolved by June 24, and followed by a comprehensive audit. No evidence of compromise was found, though 81 extensions were proactively deactivated as a precaution. The standard publishing process remained unaffected. Recommendations have been issued to mitigate similar risks in the future.
Improper Control of Dynamically-Managed Code Resources
OpenVSX 0.9.00.20.0: namespace API leaks privilege escalation
CVE-2025-1007
5.3 - Medium
- February 19, 2025
In OpenVSX version v0.9.0 to v0.20.0, the /user/namespace/{namespace}/details API allows a user to edit all namespace details, even if the user is not a namespace Owner or Contributor. The details include: name, description, website, support link and social media links. The same issues existed in /user/namespace/{namespace}/details/logo and allowed a user to change the logo.
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Eclipse Open Vsx or by Eclipse? Click the Watch button to subscribe.
