# REPRO-2026-00202: Open VSX Registry serves HTML inline enabling session/token exfiltration ## Summary Status: published Severity: medium Type: security Confidence: high ## Identifiers REPRO ID: REPRO-2026-00202 CVE: CVE-2026-4983 ## Package Name: Unknown Ecosystem: Unknown Affected: Unknown Fixed: Unknown ## Root Cause # Root Cause Analysis: CVE-2026-13323 ## Summary The Open VSX Registry `/vscode/unpkg/` endpoint serves user-supplied files extracted from published VSIX packages with insecure HTTP response headers. In versions before 1.0.2, HTML files (`.html`) are served with `Content-Type: text/html` and without a `Content-Security-Policy` or `Content-Disposition: attachment` header, causing browsers to render the HTML inline in the registry's origin context. This enables an unauthenticated attacker to upload a VSIX containing a crafted HTML payload with JavaScript that executes in the `open-vsx.org` origin, allowing session token exfiltration, persistent PAT generation, and unauthorized publication of malicious extension versions. ## Impact - **Package/component affected**: `org.eclipse.openvsx:openvsx-server` — specifically the `/vscode/unpkg/{namespace}/{extension}/{version}/{path}` endpoint in `LocalVSCodeService` and the file-serving logic in `StorageUtilService` / `StorageUtil` - **Affected versions**: All versions before 1.0.2 (confirmed on v1.0.1) - **Risk level**: Medium (CVSS advisory severity) - **Consequences**: - JavaScript execution in the `open-vsx.org` origin context - Session cookie/token exfiltration from authenticated users - Persistent Personal Access Token (PAT) generation - Unauthorized publication of malicious extension versions - Supply chain attack via compromised extension updates distributed to VS Code, VSCodium, Cursor, Windsurf, and compatible editors ## Impact Parity - **Disclosed/claimed maximum impact**: Session/token exfiltration, persistent PAT generation, unauthorized publication of malicious extension versions, supply chain attack - **Reproduced impact from this run**: Confirmed that the `/vscode/unpkg/` endpoint serves user-controlled HTML files with `Content-Type: text/html` and no `Content-Security-Policy` header, which would cause a browser to render the HTML inline and execute embedded JavaScript in the registry origin. The response body contains a `