216.73.216.86

CVE-2026-35454

· Published 06/04/2026 22:16 · Modified 07/04/2026 13:20

Labels: CVE-2026-35454 2026-04-06CVE-2026-35454CWE-22[email protected]

Essential information

Published
06/04/2026 22:16
Modified
07/04/2026 13:20
Author
Creator
CVSS
8.7 HIGH (v3) 8.7 HIGH (v4.0)
CISA KEV
No
CWE
CVSS vector

CVSS metrics

Description

The Code Extension Marketplace is an open-source alternative to the VS Code Marketplace. Prior to 2.4.2, Zip Slip vulnerability in coder/code-marketplace allowed a malicious VSIX file to write arbitrary files outside the extension directory. ExtractZip passed raw zip entry names to a callback that wrote files via filepath.Join with no boundary check; filepath.Join resolved .. components but did not prevent the result from escaping the base path. This vulnerability is fixed in 2.4.2.

NVD status

Status
Undergoing Analysis — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
coder / code-marketplace cpe:2.3:a:coder:code-marketplace:<2.4.2:*:*:*:*:*:*:*

References