Description
In Eclipse Theia versions up to and including 0.16.0, in the notification messages there is no HTML escaping, so Javascript code can run.
Scores
CVSS v3
6.1
EPSS
0.0017
EPSS Percentile
38.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Details
CWE
CWE-829
CWE-830
Status
published
Products (2)
eclipse/theia
< 0.16.0
theia/messages
0 - 1.0.0npm
Published
Mar 12, 2021
Tracked Since
Feb 18, 2026