The Open VSX Registry does not sanitize SVG files uploaded as extension icons and serves them with a content type of image/svg+xml without security headers such as Content‑Security‑Policy or Content‑Disposition. This flaw enables an attacker to publish an extension with a malicious SVG icon that, when accessed, triggers stored cross‑site scripting. The resulting script execution can hijack user sessions, steal authentication tokens, and allow the attacker to publish extensions without authorization, depending on the deployment configuration.

The vulnerability affects deployments of the Eclipse Foundation’s Eclipse Open VSX Registry, whether hosted locally or backed by external storage such as S3‑backed CDNs. Local deployments are vulnerable to full same‑origin code execution inside the Open VSX application, while external deployments limit execution to the storage origin but still permit phishing and credential harvesting through crafted pages. No specific product version information is provided.

The CVSS score of 4.1 places this issue in the moderate severity range, and the EPSS score is not available, indicating no publicly known exploitation trend. The vulnerability is not listed in the CISA KEV catalog. The primary attack vector is the upload of a malicious extension icon; the attacker must be able to submit an extension to the registry. On local installations the impact is higher because the injected script runs under the application origin, whereas on external storage deployments the impact is confined to the storage origin but still allows social engineering attacks.