CVE-2026-1699

Critical CVSS: 10.0

In the Eclipse Theia Website repository, the GitHub Actions workflow .github/workflows/preview.yml used pull_request_target trigger while checking out and executing untrusted pull request code. This allowed any GitHub user to execute arbitrary code in the repository's CI environment with access to repository secrets and a GITHUB_TOKEN with extensive write permissions (contents:write, packages:write, pages:write, actions:write). An attacker could exfiltrate secrets, publish malicious packages to the eclipse-theia organization, modify the official Theia website, and push malicious code to the repository.

Vendor

Eclipse

Product

Theia Website

CWE

CWE-829

Yayın Tarihi

2026-01-30 10:15:56

Güncelleme

2026-03-10 18:23:17

Source Identifier

emo@eclipse.org

KEV Date Added

Kategoriler

CWE-829 Theia Website CRITICAL Eclipse 2026

Referanslar

https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/332

Benzer Kayıtlar

Critical

CVE-2026-24457

An unsafe parsing of OpenMQ's configuration, allows a remote attacker to read arbitrary files from a MQ Broker's server.…

High

CVE-2026-1605

In Eclipse Jetty, versions 12.0.0-12.0.31 and 12.1.0-12.0.5, class GzipHandler exposes a vulnerability when a compressed…

Low

CVE-2025-11143

The Jetty URI parser has some key differences to other common parsers when evaluating invalid or unusual URIs. Different…

Medium

CVE-2026-1188

In the Eclipse OMR port library component since release 0.2.0, an API function to return the textual names of all suppor…

High

CVE-2026-0648

The vulnerability stems from an incorrect error-checking logic in the CreateCounter() function (in threadx/utility/rtos_…

High

CVE-2025-55102

A denial-of-service vulnerability exists in the NetX IPv6 component functionality of Eclipse ThreadX NetX Duo. A special…