Eclipse Theia

11 CVEs affecting Eclipse Theia. Latest disclosed: 2026-06-18. Critical: 2, High: 5.

Top CVEs affecting Eclipse Theia
CVESeverityScorePublishedSummary
CVE-2021-34436Critical9.82021-09-02In Eclipse Theia 0.1.1 to 0.2.0, it is possible to exploit the default build to obtain remote code execution (and XXE) via the theia-xml-extension. This extens…
CVE-2020-27224Critical9.62021-02-24In Eclipse Theia versions up to and including 1.2.0, the Markdown Preview (@theia/preview), can be exploited to execute arbitrary code.
CVE-2026-46580High8.82026-06-18In Eclipse Theia versions prior to 1.71.0, files matching the pattern .prompts/*.prompttemplate in a workspace were automatically loaded and could override or…
CVE-2026-44691High8.82026-06-18In Eclipse Theia versions prior to 1.69.0, custom task definitions in workspace files (e.g. .theia/tasks.json, .vscode/tasks.json) could be executed without re…
CVE-2026-44688High8.82026-06-18In Eclipse Theia versions prior to 1.71.0, the AI chat agent processed workspace file and directory names as part of its prompt context without distinguishing…
CVE-2021-34435High8.82021-09-01In Eclipse Theia 0.3.9 to 1.8.1, the "mini-browser" extension allows a user to preview HTML files in an iframe inside the IDE. But with the way it is made it i…
CVE-2019-17636High8.12020-03-10In Eclipse Theia versions 0.3.9 through 0.15.0, one of the default pre-packaged Theia extensions is "Mini-Browser", published as "@theia/mini-browser" on npmjs…
CVE-2026-22551Medium6.52026-06-18In Eclipse Theia versions prior to 1.71.0, the AI chat rendered Markdown image tags from AI responses, triggering HTTP requests to arbitrary external URLs with…
CVE-2021-41038Medium6.12021-11-10In versions of the @theia/plugin-ext component of Eclipse Theia prior to 1.18.0, Webview contents can be hijacked via postMessage().
CVE-2021-28162Medium6.12021-03-12In Eclipse Theia versions up to and including 0.16.0, in the notification messages there is no HTML escaping, so Javascript code can run.
CVE-2021-28161Medium6.12021-03-12In Eclipse Theia versions up to and including 1.8.0, in the debug console there is no HTML escaping, so arbitrary Javascript code can be injected.