# REPRO-2026-00202: Open VSX Registry serves HTML inline enabling session/token exfiltration
## Summary
Status: published
Severity: medium
Type: security
Confidence: high
## Identifiers
REPRO ID: REPRO-2026-00202
CVE: CVE-2026-4983
## Package
Name: Unknown
Ecosystem: Unknown
Affected: Unknown
Fixed: Unknown
## Root Cause
# Root Cause Analysis: CVE-2026-13323
## Summary
The Open VSX Registry `/vscode/unpkg/` endpoint serves user-supplied files extracted from published VSIX packages with insecure HTTP response headers. In versions before 1.0.2, HTML files (`.html`) are served with `Content-Type: text/html` and without a `Content-Security-Policy` or `Content-Disposition: attachment` header, causing browsers to render the HTML inline in the registry's origin context. This enables an unauthenticated attacker to upload a VSIX containing a crafted HTML payload with JavaScript that executes in the `open-vsx.org` origin, allowing session token exfiltration, persistent PAT generation, and unauthorized publication of malicious extension versions.
## Impact
- **Package/component affected**: `org.eclipse.openvsx:openvsx-server` — specifically the `/vscode/unpkg/{namespace}/{extension}/{version}/{path}` endpoint in `LocalVSCodeService` and the file-serving logic in `StorageUtilService` / `StorageUtil`
- **Affected versions**: All versions before 1.0.2 (confirmed on v1.0.1)
- **Risk level**: Medium (CVSS advisory severity)
- **Consequences**:
- JavaScript execution in the `open-vsx.org` origin context
- Session cookie/token exfiltration from authenticated users
- Persistent Personal Access Token (PAT) generation
- Unauthorized publication of malicious extension versions
- Supply chain attack via compromised extension updates distributed to VS Code, VSCodium, Cursor, Windsurf, and compatible editors
## Impact Parity
- **Disclosed/claimed maximum impact**: Session/token exfiltration, persistent PAT generation, unauthorized publication of malicious extension versions, supply chain attack
- **Reproduced impact from this run**: Confirmed that the `/vscode/unpkg/` endpoint serves user-controlled HTML files with `Content-Type: text/html` and no `Content-Security-Policy` header, which would cause a browser to render the HTML inline and execute embedded JavaScript in the registry origin. The response body contains a `