GHSA-f7vx-j8mp-3h2x · Severity: high · Ecosystem: npm — Insufficient Verification of Data Authenticity in Eclipse Theia
In Eclipse Theia versions 0.3.9 through 0.15.0, one of the default pre-packaged Theia extensions is "Mini-Browser", published as "@theia/mini-browser" on npmjs.com. This extension, for its own needs, exposes a HTTP endpoint that allows to read the content of files on the host's filesystem, given their path, without restrictions on the requester's origin. This design is vulnerable to being exploited remotely through a DNS rebinding attack or a drive-by download of a carefully crafted exploit.
Conclusion & alert: CVE-2019-17636 is rated High Exploit Risk (63/100): CVSS High severity, with low exploitation likelihood (EPSS 0.59%). Core evidence: 1 public exploit reference(s) are indexed (Exploit-DB). Mandatory action: Public exploits are available—assess exposure, apply mitigations, and prioritize patching.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
| EDB-ID | Source | Kind | Published | Link |
|---|---|---|---|---|
| — | nvd_ref | exploit_tag | Exploit-DB ↗ |
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-15 | 0.12% | 0.59% | +0.47% |
| 2 | 2025-03-17 | 0.26% | 0.12% | -0.14% |
| 3 | 2023-07-14 | — | 0.26% | — |
Full EPSS history (8 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 8.1 | 3.1 | HIGH |
|
2.8 | 5.2 | [email protected] |
| 5.8 | 2.0 | MEDIUM |
|
8.6 | 4.9 | [email protected] |
GHSA-f7vx-j8mp-3h2x · Severity: high · Ecosystem: npm — Insufficient Verification of Data Authenticity in Eclipse Theia
| URL | Tags |
|---|---|
| https://bugs.eclipse.org/bugs/show_bug.cgi?id=551747 | Exploit Issue Tracking Vendor Advisory |