{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35454", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-02T19:25:52.193Z", "datePublished": "2026-04-06T21:51:53.048Z", "dateUpdated": "2026-04-07T15:08:45.865Z"}, "containers": {"cna": {"title": "Code Extension Marketplace has a Zip Slip Path Traversal", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/coder/code-marketplace/security/advisories/GHSA-8x9r-hvwg-c55h", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/coder/code-marketplace/security/advisories/GHSA-8x9r-hvwg-c55h"}, {"name": "https://github.com/coder/code-marketplace/releases/tag/v2.4.2", "tags": ["x_refsource_MISC"], "url": "https://github.com/coder/code-marketplace/releases/tag/v2.4.2"}], "affected": [{"vendor": "coder", "product": "code-marketplace", "versions": [{"version": "< 2.4.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-06T21:51:53.048Z"}, "descriptions": [{"lang": "en", "value": "The Code Extension Marketplace is an open-source alternative to the VS Code Marketplace. Prior to 2.4.2, Zip Slip vulnerability in coder/code-marketplace allowed a malicious VSIX file to write arbitrary files outside the extension directory. ExtractZip passed raw zip entry names to a callback that wrote files via filepath.Join with no boundary check; filepath.Join resolved .. components but did not prevent the result from escaping the base path. This vulnerability is fixed in 2.4.2."}], "source": {"advisory": "GHSA-8x9r-hvwg-c55h", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-07T14:35:14.881298Z", "id": "CVE-2026-35454", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-07T15:08:45.865Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"cna": {"title": "Code Extension Marketplace has a Zip Slip Path Traversal", "source": {"advisory": "GHSA-8x9r-hvwg-c55h", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 8.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "coder", "product": "code-marketplace", "versions": [{"status": "affected", "version": "< 2.4.2"}]}], "references": [{"url": "https://github.com/coder/code-marketplace/security/advisories/GHSA-8x9r-hvwg-c55h", "name": "https://github.com/coder/code-marketplace/security/advisories/GHSA-8x9r-hvwg-c55h", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/coder/code-marketplace/releases/tag/v2.4.2", "name": "https://github.com/coder/code-marketplace/releases/tag/v2.4.2", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "The Code Extension Marketplace is an open-source alternative to the VS Code Marketplace. Prior to 2.4.2, Zip Slip vulnerability in coder/code-marketplace allowed a malicious VSIX file to write arbitrary files outside the extension directory. ExtractZip passed raw zip entry names to a callback that wrote files via filepath.Join with no boundary check; filepath.Join resolved .. components but did not prevent the result from escaping the base path. This vulnerability is fixed in 2.4.2."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-06T21:51:53.048Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-35454", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-07T14:35:14.881298Z"}}}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2026-04-07T14:35:19.481Z"}}]}, "cveMetadata": {"cveId": "CVE-2026-35454", "state": "PUBLISHED", "dateUpdated": "2026-04-06T21:51:53.048Z", "dateReserved": "2026-04-02T19:25:52.193Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-06T21:51:53.048Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:coder:code-marketplace:*:*:*:*:*:*:*:*", "matchCriteriaId": "D11F6EF2-16FD-4E7B-9728-50C32FB68099", "versionEndIncluding": "2.4.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The Code Extension Marketplace is an open-source alternative to the VS Code Marketplace. Prior to 2.4.2, Zip Slip vulnerability in coder/code-marketplace allowed a malicious VSIX file to write arbitrary files outside the extension directory. ExtractZip passed raw zip entry names to a callback that wrote files via filepath.Join with no boundary check; filepath.Join resolved .. components but did not prevent the result from escaping the base path. This vulnerability is fixed in 2.4.2."}], "id": "CVE-2026-35454", "lastModified": "2026-04-28T17:01:42.803", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-06T22:16:23.760", "references": [{"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/coder/code-marketplace/releases/tag/v2.4.2"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/coder/code-marketplace/security/advisories/GHSA-8x9r-hvwg-c55h"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.4.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "code-marketplace", "source": "cna", "vendor": "coder"}, "product": "code-marketplace", "vendor": "coder"}], "analysis": {"en": {"generated_at": "2026-04-07T01:54:29.278983+00:00", "value": {"mitigation_remediation": ["Upgrade the Code Extension Marketplace to version 2.4.2 or later.", "Verify the integrity of the installed version and confirm that no older releases remain on the system.", "If the marketplace is publicly accessible, restrict uploads to trusted users or disable public extension publishing until the update is applied.", "Monitor system logs for unexpected file creation or modification outside the extension directory.", "Consider applying additional file system permissions to the extension directory to reduce the impact of any remaining path traversal attempts."], "summary": {"action": "Patch", "impact": "Arbitrary File Write via Path Traversal"}, "threat_synthesis": {"affected_systems": "The Code Extension Marketplace, maintained by coder, is the affected product. All releases prior to 2.4.2 are vulnerable; users and organizations deploying the marketplace should determine if they are running v2.4.1 or older and plan to upgrade. The marketplace serves as an open\u2011source alternative to the VS Code Marketplace and is commonly used in development environments.", "description_and_impact": "The vulnerability results from an unchecked Zip Slip condition when installing extensions. A malicious VSIX file can write files outside the intended extension directory, enabling the creation or overwrite of arbitrary files. This may lead to tampering of critical system files, paving the way for further compromise or denial of service. The weakness corresponds to path traversal (CWE\u201122).", "risk_and_exploitability": "With a CVSS score of 8.7, the vulnerability is considered high severity. No EPSS data is available, and it is not listed in CISA's KEV catalog, limiting published exploit probability details. The attack requires submission of a malicious VSIX package to the marketplace. Once the package is processed, the attacker can write or overwrite files outside the extension directory, potentially reaching privileged files and compromising the host. Consequently, the risk to systems that accept extensions from untrusted sources is significant."}}}}, "created": "2026-04-07T06:53:37.388779+00:00", "updated": "2026-04-07T09:36:34.977103+00:00", "vendors": ["coder", "coder$PRODUCT$code-marketplace"]}