CVE-2026-4983 in Open VSX
Summary
by MITRE • 06/23/2026
Open VSX Registry does not sanitize SVG files uploaded as extension icons prior to storage, and serves them with Content-Type: image/svg+xml without security headers such as Content-Security-Policy or Content-Disposition: attachment. This allows an attacker to publish an extension with a malicious SVG icon and achieve stored cross-site scripting (XSS) when a user navigates directly to the icon URL.
On deployments using local storage, script execution occurs within the Open VSX application origin, enabling session hijacking, authentication token theft, and unauthorized extension publishing. On deployments backed by external storage (such as open-vsx.org with an S3-backed CDN), execution is confined to the storage origin, reducing impact but still permitting phishing attacks and credential harvesting through attacker-crafted pages.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 06/23/2026
The Open VSX Registry vulnerability represents a critical security flaw in the extension management system for Visual Studio Code and related platforms. This weakness stems from inadequate input validation and sanitization processes applied to SVG file uploads used as extension icons. The registry fails to properly sanitize malicious SVG content before storing it, creating an environment where attackers can inject harmful code that executes when users access the stored files. The vulnerability specifically manifests in the web server's handling of SVG files which are served with the content type image/svg+xml without essential security headers including Content-Security-Policy and Content-Disposition: attachment directives that would normally prevent such attacks.
The technical implementation flaw allows for stored cross-site scripting attacks through SVG files because the system treats uploaded SVGs as trusted content without proper validation. This vulnerability aligns with CWE-79 (Cross-site Scripting) and CWE-20 (Improper Input Validation) classifications, where the registry's failure to sanitize user-supplied SVG content creates a persistent XSS vector. The absence of Content-Security-Policy headers removes critical browser-based protections that would normally prevent script execution within the context of SVG files. When users navigate directly to the icon URL, the malicious SVG code executes in the browser context, potentially compromising user sessions and system integrity.
The operational impact varies significantly based on deployment configuration but remains substantial across all scenarios. In local storage deployments, the attack surface is maximized as script execution occurs within the Open VSX application origin, providing attackers with elevated privileges to hijack user sessions, steal authentication tokens, and publish unauthorized extensions. This creates a persistent threat vector that can compromise the entire registry ecosystem. For deployments using external storage such as open-vsx.org with S3-backed CDN, while the execution scope is limited to the storage origin, attackers can still craft phishing pages and harvest credentials through carefully constructed malicious SVG files. The vulnerability enables credential harvesting attacks that align with ATT&CK technique T1566 (Phishing) and T1531 (Account Access Removal), as attackers can create convincing fake authentication pages or steal user session information.
Mitigation strategies should focus on implementing comprehensive SVG sanitization before storage, including removal of executable script elements, event handlers, and potentially dangerous attributes. The registry must enforce proper Content-Security-Policy headers to restrict script execution within SVG contexts and implement Content-Disposition: attachment headers to force file downloads rather than inline rendering for potentially unsafe content. Additionally, input validation should include strict MIME type checking, size limitations, and comprehensive parsing of SVG elements to remove or neutralize any potentially harmful code segments. Organizations should also consider implementing automated scanning systems that analyze uploaded SVG content against known malicious patterns and maintain regular updates to their sanitization libraries to address emerging threats in SVG-based attack vectors.