CVE-2026-4983
Received Received - Intake
Stored XSS in Open VSX Registry via Malicious SVG Icons

Publication date: 2026-06-23

Last updated on: 2026-06-23

Assigner: Eclipse Foundation

Description
Open VSX Registry does not sanitize SVG files uploaded as extension icons prior to storage, and serves them with Content-Type: image/svg+xml without security headers such as Content-Security-Policy or Content-Disposition: attachment. This allows an attacker to publish an extension with a malicious SVG icon and achieve stored cross-site scripting (XSS) when a user navigates directly to the icon URL. On deployments using local storage, script execution occurs within the Open VSX application origin, enabling session hijacking, authentication token theft, and unauthorized extension publishing. On deployments backed by external storage (such as open-vsx.org with an S3-backed CDN), execution is confined to the storage origin, reducing impact but still permitting phishing attacks and credential harvesting through attacker-crafted pages.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-23
Last Modified
2026-06-23
Generated
2026-06-23
AI Q&A
2026-06-23
EPSS Evaluated
N/A
NVD
CVE-2026-4983
EUVD
EUVD-2026-38424
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
eclipse openvsx_registry From 0.1.0 (inc) to 0.34.1 (inc)
eclipse openvsx_registry 0.34.1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The Eclipse OpenVSX Registry is vulnerable to a stored cross-site scripting (XSS) attack because it does not properly sanitize SVG files uploaded as extension icons.

An attacker can upload a malicious SVG icon that contains executable scripts. When a user navigates directly to the icon URL, the script executes.

This vulnerability arises because the SVG files are served with the Content-Type 'image/svg+xml' but without security headers like Content-Security-Policy or Content-Disposition: attachment.

Impact Analysis

The impact depends on the deployment type of the OpenVSX Registry.

  • On deployments using local storage, the malicious script executes within the OpenVSX application origin, enabling attackers to hijack user sessions, steal authentication tokens, and publish unauthorized extensions.
  • On deployments using external storage (such as open-vsx.org with an S3-backed CDN), script execution is confined to the storage origin, which reduces the impact but still allows phishing attacks and credential harvesting through attacker-crafted pages.
Detection Guidance

Detection of this vulnerability involves identifying whether malicious SVG files are uploaded as extension icons and if these SVG files are served without proper security headers.

You can check for SVG files being served with the Content-Type: image/svg+xml header and verify if security headers such as Content-Security-Policy or Content-Disposition: attachment are missing.

Commands to detect this might include using curl or wget to fetch the icon URLs and inspect HTTP headers, for example:

  • curl -I https://your-openvsx-registry-url/path/to/extension/icon.svg
  • Look for the Content-Type header and check for absence of Content-Security-Policy and Content-Disposition headers.

Additionally, scanning your storage or database for SVG files uploaded as extension icons can help identify potentially malicious files.

Mitigation Strategies

Immediate mitigation involves preventing the upload and serving of SVG files as extension icons.

The vulnerability has been addressed in OpenVSX version 0.34.1 by rejecting SVG files as extension icons by default.

  • Upgrade your OpenVSX Registry deployment to version 0.34.1 or later.
  • If upgrading is not immediately possible, implement server-side validation to block SVG files from being uploaded as extension icons.
  • Configure your web server or CDN to add security headers such as Content-Security-Policy and Content-Disposition: attachment when serving SVG files.
  • Review and remove any existing malicious SVG icons from your storage.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-4983. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart