CVE-2026-35454
MEDIUMCode Extension Marketplace VSIX Extraction - Zip Slip
Title source: manualDescription
The Code Extension Marketplace is an open-source alternative to the VS Code Marketplace. Prior to 2.4.2, Zip Slip vulnerability in coder/code-marketplace allowed a malicious VSIX file to write arbitrary files outside the extension directory. ExtractZip passed raw zip entry names to a callback that wrote files via filepath.Join with no boundary check; filepath.Join resolved .. components but did not prevent the result from escaping the base path. This vulnerability is fixed in 2.4.2.
References (2)
Core 2
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/coder/code-marketplace/security/advisories/GHSA-8x9r-hvwg-c55h
X_Refsource_Misc x_refsource_misc
https://github.com/coder/code-marketplace/releases/tag/v2.4.2
Scores
CVSS v3
6.5
EPSS
0.0034
EPSS Percentile
26.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-22
Status
published
Products (3)
coder/code-marketplace
< 2.4.1
coder/code-marketplace
0 - 1.2.3-0.20260402184705-988440dee05fGo
coder/code-marketplace
< 2.4.2
Published
Apr 06, 2026
Tracked Since
Apr 07, 2026