Theia
This hub aggregates every CVE we track for Theia, a product in the devtools ci space. Use it to gauge the current risk picture and drill into individual advisories.
11
CVEs tracked
2
Critical
5
High
0
In CISA KEV
Severity distribution
HIGH5MEDIUM4CRITICAL2
Monthly trend
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
4
2024-072026-06
Latest CVEs
The 11 most recently published vulnerabilities affecting Theia.
- CVE-2026-44691In Eclipse Theia versions prior to 1.69.0, custom task definitions in workspace files (e.g. .theia/tasks.json, .vscode/tasks.json) could be executed without requiring workspace trust. An attacker c...8.8
- CVE-2026-22551In Eclipse Theia versions prior to 1.71.0, the AI chat rendered Markdown image tags from AI responses, triggering HTTP requests to arbitrary external URLs without restriction. Combined with prompt ...6.5
- CVE-2026-46580In Eclipse Theia versions prior to 1.71.0, files matching the pattern .prompts/*.prompttemplate in a workspace were automatically loaded and could override or extend the AI agent's system prompts. ...8.8
- CVE-2026-44688In Eclipse Theia versions prior to 1.71.0, the AI chat agent processed workspace file and directory names as part of its prompt context without distinguishing them from system instructions. An atta...8.8
- CVE-2021-41038In versions of the @theia/plugin-ext component of Eclipse Theia prior to 1.18.0, Webview contents can be hijacked via postMessage().6.1
- CVE-2021-34436In Eclipse Theia 0.1.1 to 0.2.0, it is possible to exploit the default build to obtain remote code execution (and XXE) via the theia-xml-extension. This extension uses lsp4xml (recently renamed to ...9.8
- CVE-2021-34435In Eclipse Theia 0.3.9 to 1.8.1, the "mini-browser" extension allows a user to preview HTML files in an iframe inside the IDE. But with the way it is made it is possible for a previewed HTML file t...8.8
- CVE-2021-28162In Eclipse Theia versions up to and including 0.16.0, in the notification messages there is no HTML escaping, so Javascript code can run.6.1
- CVE-2021-28161In Eclipse Theia versions up to and including 1.8.0, in the debug console there is no HTML escaping, so arbitrary Javascript code can be injected.6.1
- CVE-2020-27224In Eclipse Theia versions up to and including 1.2.0, the Markdown Preview (@theia/preview), can be exploited to execute arbitrary code.9.6
- CVE-2019-17636In Eclipse Theia versions 0.3.9 through 0.15.0, one of the default pre-packaged Theia extensions is "Mini-Browser", published as "@theia/mini-browser" on npmjs.com. This extension, for its own need...8.1
Product normalization is registry-driven with AI assist and human review. How it works