Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools

Eclipse Foundation

#e51fbebd-6053-4e49-959f-1b94eeb69a2c
PolicyEmail

Short Name

eclipse

Program Role

CNA

Top Level Root

MITRE Corporation

Security Advisories

View Advisories

Domain

eclipse.org

Country

Belgium

Scope

All projects hosted by the Eclipse Foundation as listed at https://www.eclipse.org/projects/ and services provided by the Eclipse Foundation to support open source projects as listed at https://www.eclipsestatus.io/.
Reported CVEsVendorsProductsReports
233Vulnerabilities found

CVE-2024-7708
Assigner-Eclipse Foundation
ShareView Details
Assigner-Eclipse Foundation
CVSS Score-7.5||HIGH
EPSS-0.25% / 16.49%
||
7 Day CHG~0.00%
Published-14 Jul, 2026 | 09:01
Updated-14 Jul, 2026 | 20:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

For requests that have a body, but reading the body may end up in reading 0 bytes, there is a buffer leak. This is particularly the case for 100-Continue, but any request where the network is slow can leak.

Action-Not Available
Vendor-Eclipse Foundation AISBL
Product-jettyEclipse Jetty
CWE ID-CWE-400
Uncontrolled Resource Consumption
CWE ID-CWE-401
Missing Release of Memory after Effective Lifetime
CVE-2026-8384
Assigner-Eclipse Foundation
ShareView Details
Assigner-Eclipse Foundation
CVSS Score-5.3||MEDIUM
EPSS-0.20% / 9.72%
||
7 Day CHG~0.00%
Published-14 Jul, 2026 | 08:56
Updated-14 Jul, 2026 | 18:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In Eclipse Jetty, an HTTP URI of this form: /public;/../admin/secret.txt results in an unresolved path of: /public/../admin/secret.txt instead of the expected: /admin/secret.txt Jetty itself is not affected, as it will not serve the secret.txt file because it will not pass the alias checker (only resolved resources are served). However, web applications that rely on resolved paths being provided by Jetty may be confused when receiving an unresolved path.

Action-Not Available
Vendor-Eclipse Foundation AISBL
Product-jettyEclipse Jetty
CWE ID-CWE-647
Use of Non-Canonical URL Paths for Authorization Decisions
CVE-2026-6790
Assigner-Eclipse Foundation
ShareView Details
Assigner-Eclipse Foundation
CVSS Score-5.3||MEDIUM
EPSS-0.20% / 9.52%
||
7 Day CHG~0.00%
Published-14 Jul, 2026 | 08:51
Updated-14 Jul, 2026 | 18:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In Eclipse Jetty, for HTTP/1, HTTP/2 and HTTP/3 requests, there is no strict check that the request authority (host and port) matches what provided in the Host header (if present). This was not enforced in earlier HTTP RFC (for example, in RFC 2616), but it is in the latest RFC (9110 and 9112). This mismatch can cause a number of problems that may be classified as vulnerabilities such as: * URI constructions (for example, for redirects -- this is typical for login pages) * Virtual host selection * Reverse proxying * Misleading logs * Etc. Given that the latest RFCs require that request authority and Host header must match, Jetty should enforce this invariant.

Action-Not Available
Vendor-Eclipse Foundation AISBL
Product-jettyEclipse Jetty
CWE ID-CWE-20
Improper Input Validation
CVE-2026-10051
Assigner-Eclipse Foundation
ShareView Details
Assigner-Eclipse Foundation
CVSS Score-6.9||MEDIUM
EPSS-0.25% / 16.68%
||
7 Day CHG~0.00%
Published-14 Jul, 2026 | 08:44
Updated-14 Jul, 2026 | 18:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In Eclipse Jetty, a first HTTP/1.1 request with trailers causes the server to retain the trailers in subsequent requests performed over the same connection. Subsequent request that do not have trailers report the trailers of the first request. Subsequent request that do have trailers report the union of trailers of the first request and the current request.

Action-Not Available
Vendor-Eclipse Foundation AISBL
Product-jettyEclipse Jetty
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2026-12606
Assigner-Eclipse Foundation
ShareView Details
Assigner-Eclipse Foundation
CVSS Score-6.3||MEDIUM
EPSS-0.19% / 8.55%
||
7 Day CHG~0.00%
Published-14 Jul, 2026 | 08:28
Updated-14 Jul, 2026 | 20:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Eclipse Grizzly in versions before 5.0.2, cannot properly parse the trailer section in malformed trailer header's line, which can be leveraged to perform HTTP request smuggling.

Action-Not Available
Vendor-Eclipse Foundation AISBL
Product-grizzlyEclipse GlassFish
CWE ID-CWE-444
Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
CVE-2026-15075
Assigner-Eclipse Foundation
ShareView Details
Assigner-Eclipse Foundation
CVSS Score-8.2||HIGH
EPSS-0.14% / 3.86%
||
7 Day CHG~0.00%
Published-14 Jul, 2026 | 08:15
Updated-14 Jul, 2026 | 20:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In Eclipse Vert.x versions up to and including 4.5.29 (4.x branch) and 5.1.4 (5.x branch), DefaultRedirectHandler (vertx-core) propagates all request headers as-is across cross-origin HTTP 30x redirects. Only Content-Length is stripped; no origin comparison (scheme, host, port) is performed before copying headers to the redirect target. As a result, credential headers, including Authorization, Cookie, Proxy-Authorization, and arbitrary custom headers such as X-API-Token, are forwarded to the redirect destination without the caller's knowledge. An attacker who can cause a Vert.x HttpClient to issue a request that is redirected to an attacker-controlled host (for example, by supplying a URL to a webhook dispatcher, image proxy, or microservice URL fetcher) can capture bearer tokens, basic-auth credentials, session cookies, and API keys attached to the original request.

Action-Not Available
Vendor-Eclipse Foundation AISBL
Product-vert.xEclipse Vert.x
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-346
Origin Validation Error
CVE-2026-15076
Assigner-Eclipse Foundation
ShareView Details
Assigner-Eclipse Foundation
CVSS Score-8.2||HIGH
EPSS-0.16% / 5.26%
||
7 Day CHG~0.00%
Published-14 Jul, 2026 | 08:09
Updated-14 Jul, 2026 | 20:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In versions up to and including 4.5.29 (4.x branch) and 5.1.4 (5.x branch), the WebClientSession component of Eclipse Vert.x Web Client does not validate that the Domain attribute of a Set-Cookie response header matches the originating server's domain, in violation of RFC 6265 section 5.3. An attacker who controls any server that the victim application contacts can inject a cookie scoped to an arbitrary third-party domain; because the session store performs no cross-domain ownership check, it stores and later transmits that cookie to the targeted domain. When the victim application subsequently sends a request to the targeted domain using the same WebClientSession, it presents the attacker-injected cookie, causing the receiving service to process the request under the attacker's account. Sensitive data included in the victim application's requests, such as payment amounts, card details, or other API payloads, may then be accessible to the attacker through their own account on that service.

Action-Not Available
Vendor-Eclipse Foundation AISBL
Product-vert.xEclipse Vert.x
CWE ID-CWE-346
Origin Validation Error
CVE-2026-9561
Assigner-Eclipse Foundation
ShareView Details
Assigner-Eclipse Foundation
CVSS Score-8.8||HIGH
EPSS-0.20% / 10.51%
||
7 Day CHG~0.00%
Published-14 Jul, 2026 | 07:59
Updated-14 Jul, 2026 | 13:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Eclipse Kura versions prior to 5.6.2 trust the client-supplied X-Forwarded-For HTTP header as the authoritative source of the client IP address in audit log entries. The org.eclipse.kura.web2 (Web Console) and org.eclipse.kura.rest.provider (REST API) components use this header as the primary IP source when initializing audit context, and org.eclipse.kura.jetty.customizer unconditionally installs Jetty's ForwardedRequestCustomizer on all HTTP/HTTPS connectors, causing HttpServletRequest.getRemoteAddr() to reflect the attacker-controlled header value. An unauthenticated remote attacker can exploit this vulnerability to bypass IP-based brute-force protections — such as fail2ban — by spoofing the logged IP address to a non-routable value, allowing a brute-force attack to proceed undetected, or to cause a denial of service against a third party by injecting a victim's IP address and triggering a ban on that address.

Action-Not Available
Vendor-Eclipse Foundation AISBL
Product-Eclipse Kura
CWE ID-CWE-345
Insufficient Verification of Data Authenticity
CWE ID-CWE-348
Use of Less Trusted Source
CWE ID-CWE-807
Reliance on Untrusted Inputs in a Security Decision
CVE-2026-57898
Assigner-Eclipse Foundation
ShareView Details
Assigner-Eclipse Foundation
CVSS Score-9||CRITICAL
EPSS-0.45% / 36.20%
||
7 Day CHG~0.00%
Published-14 Jul, 2026 | 07:51
Updated-14 Jul, 2026 | 13:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In Eclipse BaSyx Java Server SDK versions 2.0.0-milestone-05 to 2.0.0-milestone-12, deployments using the MongoDB backend are vulnerable to an unauthenticated arbitrary file write through the AAS thumbnail API. The AAS thumbnail upload path accepted a client-controlled fileName request parameter and passed it through repository file handling as both a repository key and, during thumbnail retrieval, a local filesystem path. With the MongoDB file repository, the supplied filename was treated as an opaque GridFS key and was not normalized or restricted as a filesystem path. A remote attacker could upload thumbnail content using an absolute or traversal-style filename, then trigger thumbnail retrieval so that the uploaded bytes were written to the attacker-chosen path on the server filesystem. This could allow writing files anywhere the Java process has permission to write and may lead to remote code execution. The default InMemory backend is not affected by this specific path because it normalizes and restricts file paths to its temporary directory. The issue is fixed in Eclipse BaSyx Java Server SDK 2.0.0-milestone-13.

Action-Not Available
Vendor-Eclipse Foundation AISBL
Product-Eclipse BaSyx - Java Server SDK
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE ID-CWE-73
External Control of File Name or Path
CVE-2026-13699
Assigner-Eclipse Foundation
ShareView Details
Assigner-Eclipse Foundation
CVSS Score-4.3||MEDIUM
EPSS-0.24% / 14.73%
||
7 Day CHG~0.00%
Published-14 Jul, 2026 | 07:38
Updated-14 Jul, 2026 | 20:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Databroker 0.6.1 PublishValue missing data_point panic

In Eclipse KUKSA Databroker version 0.6.1, the kuksa.val.v2.VAL/PublishValue gRPC handler fails to validate the existence of the optional data_point field in PublishValueRequest. When a request contains a valid signal_id but omits data_point, the server directly calls unwrap() on request.data_point, triggering a panic in the Tokio worker thread. This issue can be triggered by any client holding a valid JWT token. Unauthenticated or invalid-token requests are rejected and do not reach the vulnerable path. The panic causes the individual gRPC call to be cancelled but does not terminate the Databroker process, which remains available for subsequent requests.

Action-Not Available
Vendor-Eclipse Foundation AISBL
Product-kuksaEclipse KUKSA - Databroker
CWE ID-CWE-20
Improper Input Validation
CVE-2026-10055
Assigner-Eclipse Foundation
ShareView Details
Assigner-Eclipse Foundation
CVSS Score-8.5||HIGH
EPSS-0.30% / 21.60%
||
7 Day CHG~0.00%
Published-03 Jul, 2026 | 10:30
Updated-06 Jul, 2026 | 16:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In Eclipse Theia since version 1.26.0, the backend /services/request-service RPC accepts an attacker-controlled URL from any client connected to the standard /services messaging endpoint, performs the HTTP request server-side, and returns the full response body to the caller. Because the destination URL is neither validated nor allowlisted, a remote attacker with access to the Theia service connection can issue server-side HTTP requests to localhost or other backend-reachable hosts and read their responses, exposing internal administrative endpoints, cloud instance metadata services, and other resources that are intentionally outside the browser network boundary. The vulnerability affects deployments where the Theia service connection is reachable by untrusted users (for example, multi-tenant or publicly-reachable Theia deployments).

Action-Not Available
Vendor-Eclipse Foundation AISBL
Product-Eclipse Theia
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2026-10054
Assigner-Eclipse Foundation
ShareView Details
Assigner-Eclipse Foundation
CVSS Score-8.8||HIGH
EPSS-0.16% / 5.51%
||
7 Day CHG~0.00%
Published-03 Jul, 2026 | 10:11
Updated-07 Jul, 2026 | 05:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In affected versions of Eclipse Theia (1.8.1 and later), the browser backend exposes privileged terminal RPC over WebSocket (/services/shell-terminal, /services/terminals/:id) without service-level authentication. WebSocket origin validation in @theia/core is fail-open: connections are accepted when the Origin header is missing or when no THEIA_HOSTS allowlist is configured (the default). The Socket.IO integration additionally replaces the real Origin header with a client-supplied fix-origin header that an attacker can control or omit. As a result, a foreign-origin web page visited by a user with a running Theia instance can open the /services WebSocket namespace, invoke terminal creation, attach to the resulting terminal data channel, execute arbitrary OS commands, and read their output. This affects both local developer setups (drive-by attack) and hosted or tunneled deployments without strong external authentication. A fix is in development that enforces same-origin validation by default, removes trust in the fix-origin header, gates HTTP and WebSocket access on a SameSite=Strict; HttpOnly connection-token cookie, and sanitizes shell terminal creation options.

Action-Not Available
Vendor-Eclipse Foundation AISBL
Product-Eclipse Theia
CWE ID-CWE-1385
Missing Origin Validation in WebSockets
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2026-14336
Assigner-Eclipse Foundation
ShareView Details
Assigner-Eclipse Foundation
CVSS Score-8.2||HIGH
EPSS-0.32% / 24.21%
||
7 Day CHG~0.00%
Published-02 Jul, 2026 | 08:29
Updated-02 Jul, 2026 | 12:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

PIA's OIDC issuer allowlist for Jenkins tokens uses a bare string-prefix check (issuer.startswith(' https://ci.eclipse.org ') in is_issuer_known, pia/models.py:139) instead of validating the issuer as a properly host-bounded URL. An attacker can craft an issuer such as https://ci.eclipse.org@evil.host (userinfo trick) or https://ci.eclipse.org.evil.host (suffix trick) that satisfies the prefix check while pointing the OIDC discovery and JWKS fetches at a server the attacker controls. An unauthenticated caller of POST /v1/upload/sbom can use this to force PIA to make outbound HTTP(S) requests to an arbitrary attacker-chosen host, and to have oidc.verify_token accept a JWT signed with the attacker's own key.

Action-Not Available
Vendor-Eclipse Foundation AISBL
Product-Eclipse CSI - PIA
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2026-9563
Assigner-Eclipse Foundation
ShareView Details
Assigner-Eclipse Foundation
CVSS Score-7.5||HIGH
EPSS-0.37% / 28.86%
||
7 Day CHG~0.00%
Published-02 Jul, 2026 | 07:33
Updated-02 Jul, 2026 | 12:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In Eclipse Parsson published Maven Central artifacts before version 1.1.8, the JSON parser did not enforce a default maximum on the number of characters consumed while parsing a single JSON document. Applications that parse attacker- controlled JSON can be forced to consume excessive CPU and memory by processing very large documents, including large arrays, objects, strings, numbers, whitespace, or nested structures, resulting in a denial of service. Eclipse Parsson 1.1.8 introduces a configurable maximum parsing limit with a default limit of 15 million parser-consumed characters.

Action-Not Available
Vendor-Eclipse Foundation AISBL
Product-Eclipse Parsson
CWE ID-CWE-400
Uncontrolled Resource Consumption
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2026-13323
Assigner-Eclipse Foundation
ShareView Details
Assigner-Eclipse Foundation
CVSS Score-4.1||MEDIUM
EPSS-0.19% / 8.85%
||
7 Day CHG~0.00%
Published-01 Jul, 2026 | 11:28
Updated-06 Jul, 2026 | 20:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In Open VSX Registry before 1.0.2, the /vscode/unpkg/ endpoint serves user-supplied HTML files with Content-Type: text/html and without a Content-Security-Policy or Content-Disposition: attachment response header. An unauthenticated attacker can register a publisher account, upload a VSIX containing a crafted HTML payload, and induce an authenticated user to visit the resulting URL. The browser renders the file inline in the open-vsx.org origin context, enabling session token exfiltration, persistent Personal Access Token (PAT) generation, and unauthorized publication of malicious extension versions. Because Open VSX extensions are distributed to VS Code, VSCodium, Cursor, Windsurf, and compatible editors, a compromised extension update constitutes a supply chain attack against all downstream users.

Action-Not Available
Vendor-Eclipse Foundation AISBL
Product-open_vsxEclipse Open VSX
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-12616
Assigner-Eclipse Foundation
ShareView Details
Assigner-Eclipse Foundation
CVSS Score-6.9||MEDIUM
EPSS-0.31% / 22.81%
||
7 Day CHG~0.00%
Published-29 Jun, 2026 | 13:23
Updated-29 Jun, 2026 | 19:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The /v1/upload/sbom endpoint extracts the iss claim from the attacker-supplied JWT with signature verification disabled, then interpolates that string into three log statements before any validation gate. Because the configured log format ("%(asctime)s - %(name)s - %(levelname)s - %(message)s") renders newlines literally, an unauthenticated attacker can forge log records that are byte-for-byte indistinguishable from PIA's genuine "Successfully authenticated project" message. PIA is an authentication broker whose logs are explicitly relied upon for incident response (DESIGN.md §5.4 lists "Token verifications" and "Errors" as events to log), so the ability to plant fake auth-success entries directly undermines the audit trail the service exists to produce.

Action-Not Available
Vendor-Eclipse Foundation AISBL
Product-Eclipse CSI - PIA
CWE ID-CWE-117
Improper Output Neutralization for Logs
CVE-2026-9267
Assigner-Eclipse Foundation
ShareView Details
Assigner-Eclipse Foundation
CVSS Score-6.9||MEDIUM
EPSS-0.17% / 6.94%
||
7 Day CHG~0.00%
Published-29 Jun, 2026 | 08:10
Updated-29 Jun, 2026 | 19:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Eclipse tinydtls before commit b3efd41ad111a4920f599f51ffa4f5e9f1e72221 contains an out-of-bounds read vulnerability in the check_server_certificate() function that allows unauthenticated attackers to trigger reads beyond valid buffer boundaries by crafting a Certificate handshake message with a specific fragment_length value. Attackers can exploit missing buffer length validation before uint24 reads, memcmp, and memcpy operations during DTLS epoch 0 on both client and server paths to cause denial of service on memory-constrained devices.

Action-Not Available
Vendor-Eclipse Foundation AISBL
Product-Eclipse tinydtls
CWE ID-CWE-125
Out-of-bounds Read
CVE-2026-4983
Assigner-Eclipse Foundation
ShareView Details
Assigner-Eclipse Foundation
CVSS Score-4.1||MEDIUM
EPSS-0.23% / 13.25%
||
7 Day CHG~0.00%
Published-23 Jun, 2026 | 10:50
Updated-24 Jun, 2026 | 16:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Open VSX Registry does not sanitize SVG files uploaded as extension icons prior to storage, and serves them with Content-Type: image/svg+xml without security headers such as Content-Security-Policy or Content-Disposition: attachment. This allows an attacker to publish an extension with a malicious SVG icon and achieve stored cross-site scripting (XSS) when a user navigates directly to the icon URL. On deployments using local storage, script execution occurs within the Open VSX application origin, enabling session hijacking, authentication token theft, and unauthorized extension publishing. On deployments backed by external storage (such as open-vsx.org with an S3-backed CDN), execution is confined to the storage origin, reducing impact but still permitting phishing attacks and credential harvesting through attacker-crafted pages.

Action-Not Available
Vendor-Eclipse Foundation AISBL
Product-open_vsxEclipse Open VSX
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-11576
Assigner-Eclipse Foundation
ShareView Details
Assigner-Eclipse Foundation
CVSS Score-7.5||HIGH
EPSS-0.26% / 17.81%
||
7 Day CHG~0.00%
Published-19 Jun, 2026 | 08:27
Updated-02 Jul, 2026 | 20:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The security fix for CVE-2025-0728 in eclipse-threadx NetX Duo refactors error handling in the HTTP server PUT process to use a shared cleanup label, but this unified cleanup path unconditionally calls fx_file_close() even when the file was never successfully opened. Multiple error branches jump to the shared cleanup label before any file open operation has occurred, causing fx_file_close() to operate on an uninitialized file handle, leading to undefined behavior, double-close issues, or memory corruption.

Action-Not Available
Vendor-Eclipse Foundation AISBL
Product-threadx_netx_duoEclipse ThreadX - NetX Duo
CWE ID-CWE-415
Double Free
CWE ID-CWE-459
Incomplete Cleanup
CWE ID-CWE-908
Use of Uninitialized Resource
CVE-2026-44691
Assigner-Eclipse Foundation
ShareView Details
Assigner-Eclipse Foundation
CVSS Score-8.4||HIGH
EPSS-0.23% / 13.92%
||
7 Day CHG~0.00%
Published-18 Jun, 2026 | 14:35
Updated-22 Jun, 2026 | 19:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In Eclipse Theia versions prior to 1.69.0, custom task definitions in workspace files (e.g. .theia/tasks.json, .vscode/tasks.json) could be executed without requiring workspace trust. An attacker could craft a malicious repository that, when cloned and opened in Theia, leads to execution of arbitrary commands with the user's privileges. In combination with AI chat features and a workspace .theia/settings.json that disabled tool confirmation, this could be triggered automatically by sending a message in the AI chat.

Action-Not Available
Vendor-Eclipse Foundation AISBL
Product-theiaEclipse Theia
CWE ID-CWE-829
Inclusion of Functionality from Untrusted Control Sphere
CVE-2026-22551
Assigner-Eclipse Foundation
ShareView Details
Assigner-Eclipse Foundation
CVSS Score-6.7||MEDIUM
EPSS-0.18% / 7.84%
||
7 Day CHG~0.00%
Published-18 Jun, 2026 | 14:32
Updated-22 Jun, 2026 | 20:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In Eclipse Theia versions prior to 1.71.0, the AI chat rendered Markdown image tags from AI responses, triggering HTTP requests to arbitrary external URLs without restriction. Combined with prompt injection in a malicious workspace, an attacker could induce the AI agent to construct image URLs encoding sensitive information from the workspace or conversation context, exfiltrating it to attacker-controlled servers. The workspace trust enforcement introduced in v1.71.0 mitigates the documented attack chain by disabling AI features in untrusted workspaces.

Action-Not Available
Vendor-Eclipse Foundation AISBL
Product-theiaEclipse Theia
CWE ID-CWE-201
Insertion of Sensitive Information Into Sent Data
CWE ID-CWE-829
Inclusion of Functionality from Untrusted Control Sphere
CVE-2026-46580
Assigner-Eclipse Foundation
ShareView Details
Assigner-Eclipse Foundation
CVSS Score-8.4||HIGH
EPSS-0.27% / 19.13%
||
7 Day CHG~0.00%
Published-18 Jun, 2026 | 14:26
Updated-22 Jun, 2026 | 19:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In Eclipse Theia versions prior to 1.71.0, files matching the pattern .prompts/*.prompttemplate in a workspace were automatically loaded and could override or extend the AI agent's system prompts. An attacker could craft a malicious repository containing prompt template files that, when the workspace was opened in Theia, replaced the AI's system instructions with attacker-controlled content (indirect prompt injection). Combined with other AI chat features available in untrusted workspaces, this enabled attack chains leading to data exfiltration via Markdown image rendering or arbitrary command execution via task definitions.

Action-Not Available
Vendor-Eclipse Foundation AISBL
Product-theiaEclipse Theia
CWE ID-CWE-829
Inclusion of Functionality from Untrusted Control Sphere
CWE ID-CWE-1427
Improper Neutralization of Input Used for LLM Prompting
CVE-2026-44688
Assigner-Eclipse Foundation
ShareView Details
Assigner-Eclipse Foundation
CVSS Score-8.4||HIGH
EPSS-0.27% / 19.13%
||
7 Day CHG~0.00%
Published-18 Jun, 2026 | 14:22
Updated-22 Jun, 2026 | 19:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In Eclipse Theia versions prior to 1.71.0, the AI chat agent processed workspace file and directory names as part of its prompt context without distinguishing them from system instructions. An attacker could craft a malicious repository with adversarial directory or file names that, when analyzed by the AI agent, would cause the agent to follow attacker-controlled instructions (indirect prompt injection). Combined with other AI chat features available in untrusted workspaces, this enabled attack chains leading to data exfiltration via Markdown image rendering or arbitrary command execution via task definitions.

Action-Not Available
Vendor-Eclipse Foundation AISBL
Product-theiaEclipse Theia
CWE ID-CWE-829
Inclusion of Functionality from Untrusted Control Sphere
CWE ID-CWE-1427
Improper Neutralization of Input Used for LLM Prompting
CVE-2026-9158
Assigner-Eclipse Foundation
ShareView Details
Assigner-Eclipse Foundation
CVSS Score-5.2||MEDIUM
EPSS-0.30% / 22.37%
||
7 Day CHG~0.00%
Published-18 Jun, 2026 | 14:10
Updated-02 Jul, 2026 | 20:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In Eclipse 4diac FORTE versions 3.0.0 to 3.1.0, a specially crafted DELETE connection command to the management interface can lead to a dangling pointer. This allows subsequent commands to access freed memory (use-after-free).

Action-Not Available
Vendor-Eclipse Foundation AISBL
Product-4diac_forteEclipse 4diac
CWE ID-CWE-416
Use After Free
CVE-2026-2586
Assigner-Eclipse Foundation
ShareView Details
Assigner-Eclipse Foundation
CVSS Score-9.1||CRITICAL
EPSS-0.82% / 53.13%
||
7 Day CHG~0.00%
Published-19 May, 2026 | 14:12
Updated-29 Jun, 2026 | 09:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An authenticated Remote Code Execution (RCE) vulnerability was identified in GlassFish's Administration Console. A user with access to the panel can send crafted requests that allow the execution of arbitrary operating system commands with the privileges of the application service user. This issue affects Eclipse GlassFish: from 8.0.0 to 8.0.1, fixed in 8.0.2; 7.1.0, fixed in 7.1.1; from 7.0.0 to 7.0.25, fixed in 7.0.26. Impact on versions from 5.1.0 to 6.2.5 is unknown.

Action-Not Available
Vendor-Eclipse Foundation AISBL
Product-glassfishEclipse Glassfish
CWE ID-CWE-917
Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2026-2587
Assigner-Eclipse Foundation
ShareView Details
Assigner-Eclipse Foundation
CVSS Score-9.6||CRITICAL
EPSS-0.63% / 46.04%
||
7 Day CHG~0.00%
Published-19 May, 2026 | 14:03
Updated-29 Jun, 2026 | 09:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A critical Remote Code Execution (RCE) vulnerability was identified in the server-side template rendering mechanism used by the Glassfish gadget handler. The application processes .xml files and evaluates user-supplied values within a context where Expression Language (EL) “expressions” are processed without proper sanitization or escaping. By injecting expressions such as #{7*7}, the server returns 49, confirming server-side EL evaluation. This issue allows a remote attacker to fully compromise the underlying host, enabling capabilities as reading/modifying data, executing arbitrary commands, persistence, and lateral movement. This issue affects Eclipse GlassFish: from 8.0.0 to 8.0.1, fixed in 8.0.2; 7.1.0, fixed in 7.1.1; from 7.0.0 to 7.0.25, fixed in 7.0.26. Impact on versions from 5.1.0 to 6.2.5 is unknown.

Action-Not Available
Vendor-Eclipse Foundation AISBL
Product-glassfishEclipse Glassfish
CWE ID-CWE-917
Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')
CVE-2026-6860
Assigner-Eclipse Foundation
ShareView Details
Assigner-Eclipse Foundation
CVSS Score-6.9||MEDIUM
EPSS-0.24% / 14.75%
||
7 Day CHG~0.00%
Published-06 May, 2026 | 09:55
Updated-12 May, 2026 | 20:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A TCP client can perform a TLS handshake and present the server name extension with a server name that is accepted by a server wildcard name, e.g. if the server is configured with a certificate accepting *.example.com, any XYZ.example.com where xyz is a valid name can be used.

Action-Not Available
Vendor-Eclipse Foundation AISBL
Product-vert.xEclipse Vert.x
CWE ID-CWE-295
Improper Certificate Validation
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2026-7412
Assigner-Eclipse Foundation
ShareView Details
Assigner-Eclipse Foundation
CVSS Score-8.6||HIGH
EPSS-0.52% / 40.48%
||
7 Day CHG~0.00%
Published-05 May, 2026 | 14:15
Updated-06 May, 2026 | 16:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In Eclipse BaSyx Java Server SDK versions prior to 2.0.0-milestone-10, the Operation Delegation feature fails to validate the destination URI of delegated requests. An unauthenticated remote attacker can exploit this design flaw to force the BaSyx server to execute blind HTTP POST requests to arbitrary internal or external targets. This allows an attacker to bypass network segmentation and pivot into isolated internal IT/OT infrastructure or target Cloud Metadata services (IMDS).

Action-Not Available
Vendor-Eclipse Foundation AISBL
Product-Eclipse BaSyx
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2026-7411
Assigner-Eclipse Foundation
ShareView Details
Assigner-Eclipse Foundation
CVSS Score-10||CRITICAL
EPSS-3.68% / 88.43%
||
7 Day CHG~0.00%
Published-05 May, 2026 | 14:07
Updated-06 May, 2026 | 16:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In Eclipse BaSyx Java Server SDK versions prior to 2.0.0-milestone-10, inadequate path normalization in the Submodel HTTP API allows an unauthenticated remote attacker to perform a path traversal attack. By supplying a maliciously crafted fileName parameter during a file upload operation, an attacker can bypass intended storage boundaries and write arbitrary files to any location on the host filesystem accessible by the Java process. This can lead to Remote Code Execution (RCE) and complete system compromise.

Action-Not Available
Vendor-Eclipse Foundation AISBL
Product-Eclipse BaSyx
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2026-6918
Assigner-Eclipse Foundation
ShareView Details
Assigner-Eclipse Foundation
CVSS Score-8.7||HIGH
EPSS-0.52% / 40.54%
||
7 Day CHG~0.00%
Published-05 May, 2026 | 12:29
Updated-15 Jul, 2026 | 01:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In Eclipse Open9J versions 0.21 to 0.58, a pre-authentication remote attacker can crash JITServer by sending a 32-byte crafted TCP message.

Action-Not Available
Vendor-Red Hat, Inc.Eclipse Foundation AISBL
Product-openj9Eclipse OpenJ9Red Hat Enterprise Linux 10.2 Extended Update SupportRed Hat Enterprise Linux 10Red Hat Enterprise Linux 10.0 Extended Update Support
CWE ID-CWE-125
Out-of-bounds Read
CWE ID-CWE-1286
Improper Validation of Syntactic Correctness of Input
CVE-2026-6272
Assigner-Eclipse Foundation
ShareView Details
Assigner-Eclipse Foundation
CVSS Score-8.5||HIGH
EPSS-0.27% / 18.73%
||
7 Day CHG~0.00%
Published-24 Apr, 2026 | 08:28
Updated-24 Apr, 2026 | 14:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A client holding only a read JWT scope can still register itself as a signal provider through the production kuksa.val.v2 OpenProviderStream API by sending ProvideSignalRequest. 1. Obtain any valid token with only read scope. 2. Connect to the normal production gRPC API (kuksa.val.v2). 3. Open OpenProviderStream. 4. Send ProvideSignalRequest for a target signal ID. 5. Wait for the broker to forward GetProviderValueRequest. 6. Reply with attacker-controlled GetProviderValueResponse. 7. Other clients performing GetValue / GetValues for that signal receive forged data.

Action-Not Available
Vendor-Eclipse Foundation AISBL
Product-Eclipse KUKSA - Databroker
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2026-2332
Assigner-Eclipse Foundation
ShareView Details
Assigner-Eclipse Foundation
CVSS Score-7.4||HIGH
EPSS-1.13% / 62.70%
||
7 Day CHG~0.00%
Published-14 Apr, 2026 | 10:59
Updated-15 Jul, 2026 | 02:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
HTTP Request Smuggling via Chunked Extension Quoted-String Parsing

In Eclipse Jetty, the HTTP/1.1 parser is vulnerable to request smuggling when chunk extensions are used, similar to the "funky chunks" techniques outlined here: * https://w4ke.info/2025/06/18/funky-chunks.html * https://w4ke.info/2025/10/29/funky-chunks-2.html Jetty terminates chunk extension parsing at \r\n inside quoted strings instead of treating this as an error. POST / HTTP/1.1 Host: localhost Transfer-Encoding: chunked 1;ext="val X 0 GET /smuggled HTTP/1.1 ... Note how the chunk extension does not close the double quotes, and it is able to inject a smuggled request.

Action-Not Available
Vendor-Red Hat, Inc.Eclipse Foundation AISBL
Product-jettyEclipse JettyOpenShift Developer Tools and ServicesRed Hat Build of Apache Camel 4.18 for Quarkus 3.33Red Hat build of Apache Camel 4.18.1 for Spring Boot 3.5.14Red Hat build of Apicurio Registry 2Red Hat Process Automation 7Red Hat build of Debezium 2Red Hat Fuse 7Red Hat Offline Knowledge Portal 1.2.7Red Hat JBoss Web Server 6Red Hat JBoss Enterprise Application Platform Expansion PackRed Hat build of Apicurio Registry 3Red Hat Enterprise Linux 9Red Hat Data Grid 8streams for Apache Kafka 3Red Hat build of Debezium 3Red Hat OpenShift Dev Spaces 3.27Red Hat JBoss Enterprise Application Platform 7Red Hat Satellite 6streams for Apache Kafka 2HawtIO HawtIO 4.4.0Red Hat AMQ Broker 7.13.5Red Hat build of Apache Camel 4 for Quarkus 3Red Hat Single Sign-On 7Red Hat AMQ Broker 7Red Hat JBoss Enterprise Application Platform 8
CWE ID-CWE-444
Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
CVE-2026-5795
Assigner-Eclipse Foundation
ShareView Details
Assigner-Eclipse Foundation
CVSS Score-7.4||HIGH
EPSS-0.53% / 41.19%
||
7 Day CHG~0.00%
Published-08 Apr, 2026 | 13:32
Updated-15 Jul, 2026 | 01:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In Eclipse Jetty, the class JASPIAuthenticator initiates the authentication checks, which set two ThreadLocal variable. Upon returning from the initial checks, there are conditions that cause an early return from the JASPIAuthenticator code without clearing those ThreadLocals. A subsequent request using the same thread inherits the ThreadLocal values, leading to a broken access control and privilege escalation.

Action-Not Available
Vendor-Red Hat, Inc.Eclipse Foundation AISBL
Product-jettyEclipse JettyRed Hat Data Grid 8Red Hat OpenShift Dev SpacesRed Hat build of Apache Camel 4.18.1 for Spring Boot 3.5.14streams for Apache Kafka 3HawtIO HawtIO 4.4.0Red Hat Offline Knowledge Portal 1.2.7Red Hat JBoss Enterprise Application Platform Expansion PackRed Hat JBoss Enterprise Application Platform 8
CWE ID-CWE-226
Sensitive Information in Resource Not Removed Before Reuse
CWE ID-CWE-287
Improper Authentication
CVE-2026-24457
Assigner-Eclipse Foundation
ShareView Details
Assigner-Eclipse Foundation
CVSS Score-9.1||CRITICAL
EPSS-0.62% / 45.51%
||
7 Day CHG~0.00%
Published-05 Mar, 2026 | 16:27
Updated-10 Mar, 2026 | 19:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An unsafe parsing of OpenMQ's configuration, allows a remote attacker to read arbitrary files from a MQ Broker's server. A full exploitation could read unauthorized files of the OpenMQ’s host OS. In some scenarios RCE could be achieved.

Action-Not Available
Vendor-Eclipse Foundation AISBL
Product-open_message_queueEclipse OpenMQ
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE ID-CWE-27
Path Traversal: 'dir/../../filename'
CVE-2026-1605
Assigner-Eclipse Foundation
ShareView Details
Assigner-Eclipse Foundation
CVSS Score-7.5||HIGH
EPSS-0.62% / 45.94%
||
7 Day CHG~0.00%
Published-05 Mar, 2026 | 09:39
Updated-15 Jul, 2026 | 02:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In Eclipse Jetty, versions 12.0.0-12.0.31 and 12.1.0-12.0.5, class GzipHandler exposes a vulnerability when a compressed HTTP request, with Content-Encoding: gzip, is processed and the corresponding response is not compressed. This happens because the JDK Inflater is allocated for decompressing the request, but it is not released because the release mechanism is tied to the compressed response. In this case, since the response is not compressed, the release mechanism does not trigger, causing the leak.

Action-Not Available
Vendor-Red Hat, Inc.Eclipse Foundation AISBL
Product-jettyEclipse JettyOpenShift Developer Tools and ServicesRed Hat Enterprise Linux 7Red Hat OpenShift Dev Spaces 3.28Red Hat build of Apicurio Registry 2Red Hat Process Automation 7Red Hat build of Debezium 2Red Hat Fuse 7Red Hat JBoss Web Server 6Red Hat JBoss Enterprise Application Platform Expansion PackRed Hat build of Apicurio Registry 3Red Hat build of Apache Camel for Spring Boot 4Red Hat Enterprise Linux 9Red Hat JBoss Enterprise Application Platform 8.1 for RHEL 9Red Hat Data Grid 8streams for Apache Kafka 3Red Hat build of Debezium 3Red Hat Enterprise Linux 8Red Hat JBoss Enterprise Application Platform 7Red Hat Satellite 6streams for Apache Kafka 2Red Hat JBoss Enterprise Application Platform 8.1 for RHEL 8HawtIO HawtIO 4.4.0Red Hat JBoss Enterprise Application Platform 8.1Red Hat AMQ Broker 7.14.0Red Hat Single Sign-On 7Red Hat Offline Knowledge Portal
CWE ID-CWE-400
Uncontrolled Resource Consumption
CWE ID-CWE-401
Missing Release of Memory after Effective Lifetime
CWE ID-CWE-772
Missing Release of Resource after Effective Lifetime
CVE-2025-11143
Assigner-Eclipse Foundation
ShareView Details
Assigner-Eclipse Foundation
CVSS Score-3.7||LOW
EPSS-0.16% / 5.42%
||
7 Day CHG~0.00%
Published-05 Mar, 2026 | 09:26
Updated-06 Mar, 2026 | 20:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Jetty URI parser has some key differences to other common parsers when evaluating invalid or unusual URIs. Differential parsing of URIs in systems using multiple components may result in security by-pass. For example a component that enforces a black list may interpret the URIs differently from one that generates a response. At the very least, differential parsing may divulge implementation details.

Action-Not Available
Vendor-Eclipse Foundation AISBL
Product-jettyEclipse Jetty
CWE ID-CWE-20
Improper Input Validation
CVE-2026-22886
Assigner-Eclipse Foundation
ShareView Details
Assigner-Eclipse Foundation
CVSS Score-9.8||CRITICAL
EPSS-0.40% / 32.46%
||
7 Day CHG~0.00%
Published-03 Mar, 2026 | 09:18
Updated-09 Apr, 2026 | 19:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

OpenMQ exposes a TCP-based management service (imqbrokerd) that by default requires authentication. However, the product ships with a default administrative account (admin/ admin) and does not enforce a mandatory password change on first use. After the first successful login, the server continues to accept the default password indefinitely without warning or enforcement. In real-world deployments, this service is often left enabled without changing the default credentials. As a result, a remote attacker with access to the service port could authenticate as an administrator and gain full control of the protocol’s administrative features.

Action-Not Available
Vendor-Eclipse Foundation AISBL
Product-openmqEclipse OpenMQ
CWE ID-CWE-1391
Use of Weak Credentials
CWE ID-CWE-1392
Use of Default Credentials
CWE ID-CWE-1393
Use of Default Password
CVE-2026-1699
Assigner-Eclipse Foundation
ShareView Details
Assigner-Eclipse Foundation
CVSS Score-10||CRITICAL
EPSS-0.50% / 39.73%
||
7 Day CHG~0.00%
Published-30 Jan, 2026 | 09:57
Updated-10 Mar, 2026 | 18:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In the Eclipse Theia Website repository, the GitHub Actions workflow .github/workflows/preview.yml used pull_request_target trigger while checking out and executing untrusted pull request code. This allowed any GitHub user to execute arbitrary code in the repository's CI environment with access to repository secrets and a GITHUB_TOKEN with extensive write permissions (contents:write, packages:write, pages:write, actions:write). An attacker could exfiltrate secrets, publish malicious packages to the eclipse-theia organization, modify the official Theia website, and push malicious code to the repository.

Action-Not Available
Vendor-Eclipse Foundation AISBL
Product-theia_websiteEclipse Theia - Website
CWE ID-CWE-829
Inclusion of Functionality from Untrusted Control Sphere
CVE-2026-1188
Assigner-Eclipse Foundation
ShareView Details
Assigner-Eclipse Foundation
CVSS Score-6.9||MEDIUM
EPSS-0.49% / 39.00%
||
7 Day CHG~0.00%
Published-29 Jan, 2026 | 08:36
Updated-09 Feb, 2026 | 15:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In the Eclipse OMR port library component since release 0.2.0, an API function to return the textual names of all supported processor features was not accounting for the separator inserted between processor features. If the output buffer supplied to this function was incorrectly sized, failing to account for the separator when determining when a write to the buffer was safe could lead to a buffer overflow. This issue is fixed in Eclipse OMR version 0.8.0.

Action-Not Available
Vendor-Eclipse Foundation AISBL
Product-omrEclipse OMR
CWE ID-CWE-120
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
CWE ID-CWE-131
Incorrect Calculation of Buffer Size
CVE-2026-0648
Assigner-Eclipse Foundation
ShareView Details
Assigner-Eclipse Foundation
CVSS Score-7.8||HIGH
EPSS-0.10% / 1.27%
||
7 Day CHG~0.00%
Published-27 Jan, 2026 | 15:40
Updated-02 Apr, 2026 | 20:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The vulnerability stems from an incorrect error-checking logic in the CreateCounter() function (in threadx/utility/rtos_compatibility_layers/OSEK/tx_osek.c) when handling the return value of osek_get_counter(). Specifically, the current code checks if cntr_id equals 0u to determine failure, but @osek_get_counter() actually returns E_OS_SYS_STACK (defined as 12U) when it fails. This mismatch causes the error branch to never execute even when the counter pool is exhausted. As a result, when the counter pool is depleted, the code proceeds to cast the error code (12U) to a pointer (OSEK_COUNTER *), creating a wild pointer. Subsequent writes to members of this pointer lead to writes to illegal memory addresses (e.g., 0x0000000C), which can trigger immediate HardFaults or silent memory corruption. This vulnerability poses significant risks, including potential denial-of-service attacks (via repeated calls to exhaust the counter pool) and unauthorized memory access.

Action-Not Available
Vendor-Eclipse Foundation AISBL
Product-threadxEclipse ThreadX
CWE ID-CWE-253
Incorrect Check of Function Return Value
CWE ID-CWE-787
Out-of-bounds Write
CVE-2025-55095
Assigner-Eclipse Foundation
ShareView Details
Assigner-Eclipse Foundation
CVSS Score-4.2||MEDIUM
EPSS-0.14% / 3.61%
||
7 Day CHG~0.00%
Published-27 Jan, 2026 | 15:34
Updated-02 Apr, 2026 | 20:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The function _ux_host_class_storage_media_mount() is responsible for mounting partitions on a USB mass storage device. When it encounters an extended partition entry in the partition table, it recursively calls itself to mount the next logical partition. This recursion occurs in _ux_host_class_storage_partition_read(), which parses up to four partition entries. If an extended partition is found (with type UX_HOST_CLASS_STORAGE_PARTITION_EXTENDED or EXTENDED_LBA_MAPPED), the code invokes: _ux_host_class_storage_media_mount(storage, sector + _ux_utility_long_get(...)); There is no limit on the recursion depth or tracking of visited sectors. As a result, a malicious or malformed disk image can include cyclic or excessively deep chains of extended partitions, causing the function to recurse until stack overflow occurs.

Action-Not Available
Vendor-Eclipse Foundation AISBL
Product-threadx_usbxEclipse ThreadX - USBX
CWE ID-CWE-121
Stack-based Buffer Overflow
CWE ID-CWE-674
Uncontrolled Recursion
CWE ID-CWE-787
Out-of-bounds Write
CVE-2025-55102
Assigner-Eclipse Foundation
ShareView Details
Assigner-Eclipse Foundation
CVSS Score-8.7||HIGH
EPSS-0.36% / 28.20%
||
7 Day CHG~0.00%
Published-27 Jan, 2026 | 15:25
Updated-02 Apr, 2026 | 20:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A denial-of-service vulnerability exists in the NetX IPv6 component functionality of Eclipse ThreadX NetX Duo. A specially crafted network packet of "Packet Too Big" with more than 15 different source address can lead to denial of service. An attacker can send a malicious packet to trigger this vulnerability.

Action-Not Available
Vendor-Eclipse Foundation AISBL
Product-threadx_netx_duoEclipse ThreadX - NetX Duo
CWE ID-CWE-400
Uncontrolled Resource Consumption
CWE ID-CWE-404
Improper Resource Shutdown or Release
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2026-1002
Assigner-Eclipse Foundation
ShareView Details
Assigner-Eclipse Foundation
CVSS Score-6.9||MEDIUM
EPSS-0.34% / 26.52%
||
7 Day CHG~0.00%
Published-15 Jan, 2026 | 20:50
Updated-05 Feb, 2026 | 16:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Eclipse Vert.x Web static handler file access denial

The Vert.x Web static handler component cache can be manipulated to deny the access to static files served by the handler using specifically crafted request URI. The issue comes from an improper implementation of the C. rule of section 5.2.4 of RFC3986 and is fixed in Vert.x Core component (used by Vert.x Web): https://github.com/eclipse-vertx/vert.x/pull/5895 Steps to reproduce Given a file served by the static handler, craft an URI that introduces a string like bar%2F..%2F after the last / char to deny the access to the URI with an HTTP 404 response. For example https://example.com/foo/index.html can be denied with https://example.com/foo/bar%2F..%2Findex.html Mitgation Disabling Static Handler cache fixes the issue. StaticHandler staticHandler = StaticHandler.create().setCachingEnabled(false);

Action-Not Available
Vendor-Eclipse Vert.xEclipse Foundation AISBL
Product-vert.x-webEclipse Vert.x
CWE ID-CWE-444
Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
CVE-2025-14549
Assigner-Eclipse Foundation
ShareView Details
Assigner-Eclipse Foundation
CVSS Score-6.9||MEDIUM
EPSS-0.26% / 17.54%
||
7 Day CHG~0.00%
Published-15 Dec, 2025 | 05:32
Updated-20 Jan, 2026 | 18:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
OMR on Z processors Exposing a possible buffer over-read problem

In the Eclipse OMR compiler component, since release 0.7.0, an optimization enabled for Eclipse OpenJ9 consumers of OMR on Z processors incorrectly handles NUL (0x00) characters during the Latin-compatible charset (UTF-8, ISO8859-1, ASCII, etc) to IBM-1047/037 translation sequence. This can cause the output byte array to be truncated, discarding the first NUL byte and all subsequent characters, and thereby exposing a possible buffer over-read problem. This issue is fixed in Eclipse OMR version 0.8.0.

Action-Not Available
Vendor-Eclipse OMREclipse Foundation AISBL
Product-omrEclipse OMR
CWE ID-CWE-125
Out-of-bounds Read
CVE-2025-10543
Assigner-Eclipse Foundation
ShareView Details
Assigner-Eclipse Foundation
CVSS Score-6.3||MEDIUM
EPSS-0.20% / 9.56%
||
7 Day CHG~0.00%
Published-02 Dec, 2025 | 08:18
Updated-16 Jan, 2026 | 21:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In Eclipse Paho Go MQTT v3.1 library (paho.mqtt.golang) versions <=1.5.0 UTF-8 encoded strings, passed into the library, may be incorrectly encoded if their length exceeds 65535 bytes. This may lead to unexpected content in packets sent to the server (for example, part of an MQTT topic may leak into the message body in a PUBLISH packet). The issue arises because the length of the data passed in was converted from an int64/int32 (depending upon CPU) to an int16 without checks for overflows. The int16 length was then written, followed by the data (e.g. topic). This meant that when the data (e.g. topic) was over 65535 bytes then the amount of data written exceeds what the length field indicates. This could lead to a corrupt packet, or mean that the excess data leaks into another field (e.g. topic leaks into message body).

Action-Not Available
Vendor-Eclipse Foundation AISBL
Product-paho_mqttpaho.mqtt.golang (Go MQTT v3.1 library)
CWE ID-CWE-197
Numeric Truncation Error
CWE ID-CWE-681
Incorrect Conversion between Numeric Types
CVE-2025-12383
Assigner-Eclipse Foundation
ShareView Details
Assigner-Eclipse Foundation
CVSS Score-9.4||CRITICAL
EPSS-0.28% / 20.38%
||
7 Day CHG+0.01%
Published-18 Nov, 2025 | 15:14
Updated-16 Jan, 2026 | 20:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Race Condition allows Bypass of Trust Restrictions

In Eclipse Jersey versions 2.45, 3.0.16, 3.1.9 a race condition can cause ignoring of critical SSL configurations - such as mutual authentication, custom key/trust stores, and other security settings. This issue may result in SSLHandshakeException under normal circumstances, but under certain conditions, it could lead to unauthorized trust in insecure servers (see PoC)

Action-Not Available
Vendor-Eclipse Foundation AISBL
Product-jerseyJersey
CWE ID-CWE-362
Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CVE-2025-11965
Assigner-Eclipse Foundation
ShareView Details
Assigner-Eclipse Foundation
CVSS Score-6.3||MEDIUM
EPSS-0.47% / 37.62%
||
7 Day CHG+0.01%
Published-22 Oct, 2025 | 14:50
Updated-16 Jan, 2026 | 20:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In Eclipse Vert.x versions [4.0.0, 4.5.21] and [5.0.0, 5.0.4], a StaticHandler configuration for restricting access to hidden files fails to restrict access to hidden directories, allowing unauthorized users to retrieve files within them (e.g. '.git/config').

Action-Not Available
Vendor-Eclipse Foundation AISBL
Product-vert.xVert.x
CWE ID-CWE-552
Files or Directories Accessible to External Parties
CVE-2025-11966
Assigner-Eclipse Foundation
ShareView Details
Assigner-Eclipse Foundation
CVSS Score-2.3||LOW
EPSS-0.27% / 19.10%
||
7 Day CHG+0.01%
Published-22 Oct, 2025 | 14:44
Updated-20 Jan, 2026 | 19:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In Eclipse Vert.x versions [4.0.0, 4.5.21] and [5.0.0, 5.0.4], when "directory listing" is enabled, file and directory names are inserted into generated HTML without proper escaping in the href, title, and link attributes. An attacker who can create or rename files or directories within a served path can craft filenames containing malicious script or HTML content, leading to stored cross-site scripting (XSS) that executes in the context of users viewing the affected directory listing.

Action-Not Available
Vendor-Eclipse Foundation AISBL
Product-vert.xVert.x
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE ID-CWE-80
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
CVE-2025-55086
Assigner-Eclipse Foundation
ShareView Details
Assigner-Eclipse Foundation
CVSS Score-6.3||MEDIUM
EPSS-0.37% / 29.48%
||
7 Day CHG+0.01%
Published-20 Oct, 2025 | 17:49
Updated-24 Oct, 2025 | 15:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In NetXDuo version before 6.4.4, a networking support module for Eclipse Foundation ThreadX, in the DHCPV6 client there was an unchecked index extracting the server DUID from the server reply. With a crafted packet, an attacker could cause an out of memory read.

Action-Not Available
Vendor-Eclipse Foundation AISBL
Product-threadx_netx_duoNextX Duo
CWE ID-CWE-125
Out-of-bounds Read
CWE ID-CWE-1285
Improper Validation of Specified Index, Position, or Offset in Input
CVE-2025-55085
Assigner-Eclipse Foundation
ShareView Details
Assigner-Eclipse Foundation
CVSS Score-8.8||HIGH
EPSS-0.57% / 43.23%
||
7 Day CHG+0.01%
Published-17 Oct, 2025 | 14:22
Updated-27 Oct, 2025 | 14:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Web http client: Unchecked Server-Side Malicious Packet Issue

In NextX Duo before 6.4.4, in the HTTP client module, the network support code for Eclipse Foundation ThreadX, the parsing of HTTP header fields was missing bounds verification. A crafted server response could cause undefined behavior.

Action-Not Available
Vendor-Eclipse Foundation AISBL
Product-threadx_netx_duoNetX Duo
CWE ID-CWE-125
Out-of-bounds Read
CWE ID-CWE-1286
Improper Validation of Syntactic Correctness of Input
  • Previous
  • 1
  • 2
  • 3
  • 4
  • 5
  • Next