Eclipse Theia
11 CVEs affecting Eclipse Theia. Latest disclosed: 2026-06-18. Critical: 2, High: 5.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2021-34436 | Critical | 9.8 | 2021-09-02 | In Eclipse Theia 0.1.1 to 0.2.0, it is possible to exploit the default build to obtain remote code execution (and XXE) via the theia-xml-extension. This extens… |
CVE-2020-27224 | Critical | 9.6 | 2021-02-24 | In Eclipse Theia versions up to and including 1.2.0, the Markdown Preview (@theia/preview), can be exploited to execute arbitrary code. |
CVE-2026-46580 | High | 8.8 | 2026-06-18 | In Eclipse Theia versions prior to 1.71.0, files matching the pattern .prompts/*.prompttemplate in a workspace were automatically loaded and could override or… |
CVE-2026-44691 | High | 8.8 | 2026-06-18 | In Eclipse Theia versions prior to 1.69.0, custom task definitions in workspace files (e.g. .theia/tasks.json, .vscode/tasks.json) could be executed without re… |
CVE-2026-44688 | High | 8.8 | 2026-06-18 | In Eclipse Theia versions prior to 1.71.0, the AI chat agent processed workspace file and directory names as part of its prompt context without distinguishing… |
CVE-2021-34435 | High | 8.8 | 2021-09-01 | In Eclipse Theia 0.3.9 to 1.8.1, the "mini-browser" extension allows a user to preview HTML files in an iframe inside the IDE. But with the way it is made it i… |
CVE-2019-17636 | High | 8.1 | 2020-03-10 | In Eclipse Theia versions 0.3.9 through 0.15.0, one of the default pre-packaged Theia extensions is "Mini-Browser", published as "@theia/mini-browser" on npmjs… |
CVE-2026-22551 | Medium | 6.5 | 2026-06-18 | In Eclipse Theia versions prior to 1.71.0, the AI chat rendered Markdown image tags from AI responses, triggering HTTP requests to arbitrary external URLs with… |
CVE-2021-41038 | Medium | 6.1 | 2021-11-10 | In versions of the @theia/plugin-ext component of Eclipse Theia prior to 1.18.0, Webview contents can be hijacked via postMessage(). |
CVE-2021-28162 | Medium | 6.1 | 2021-03-12 | In Eclipse Theia versions up to and including 0.16.0, in the notification messages there is no HTML escaping, so Javascript code can run. |
CVE-2021-28161 | Medium | 6.1 | 2021-03-12 | In Eclipse Theia versions up to and including 1.8.0, in the debug console there is no HTML escaping, so arbitrary Javascript code can be injected. |