HIGH🇵🇱 Wersja polska

CVE-2026-44691

CVSS 8.4v4.0pub. 2026-06-18upd. 2026-06-22

In Eclipse Theia versions prior to 1.69.0, custom task definitions in workspace files (e.g. .theia/tasks.json, .vscode/tasks.json) could be executed without requiring workspace trust. An attacker could craft a malicious repository that, when cloned and opened in Theia, leads to execution of arbitrary commands with the user's privileges. In combination with AI chat features and a workspace .theia/settings.json that disabled tool confirmation, this could be triggered automatically by sending a message in the AI chat.

CVSS Vector
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Eclipse Theia

    APP
    Eclipse
    < 1.69.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2021-34436CRITICAL9.8ten sam produkt

In Eclipse Theia 0.1.1 to 0.2.0, it is possible to exploit the default build to obtain remote code execution (...

CVE-2020-27224CRITICAL9.6ten sam produkt

In Eclipse Theia versions up to and including 1.2.0, the Markdown Preview (@theia/preview), can be exploited t...

CVE-2026-46580HIGH8.4ten sam produkt

In Eclipse Theia versions prior to 1.71.0, files matching the pattern .prompts/*.prompttemplate in a workspace...

CVE-2026-44688HIGH8.4ten sam produkt

In Eclipse Theia versions prior to 1.71.0, the AI chat agent processed workspace file and directory names as p...

CVE-2021-34435HIGH8.8ten sam produkt

In Eclipse Theia 0.3.9 to 1.8.1, the "mini-browser" extension allows a user to preview HTML files in an iframe...