Aggregates CVE and security vulnerability intelligence across all Eclipse Foundation-related products, including CVSS, EPSS, publication dates, and vulnerability intelligence data.
Historical issues involve various input-handling and memory-safety problems that may affect software stability and security.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2022-29246 | Azure RTOS USBX is a USB host, device, and on-the-go (OTG) embedded stack. Prior to version 6.1.11, he USBX DFU UPLOAD functionality may be utilized to introduce a buffer overflow resulting in overwrite of memory contents. In particular cases this may allow an attacker to bypass security features or execute arbitrary code. The implementation of `ux_device_class_dfu_control_request` function does not assure that a buffer overflow will not occur during handling of the DFU UPLOAD command. When an a | [email protected] | 9.8 | 2.16% | 2022-05-24 | 2026-06-17 |
| CVE-2022-29223 | Azure RTOS USBX is a USB host, device, and on-the-go (OTG) embedded stack. In versions prior to 6.1.10, an attacker can cause a buffer overflow by providing the Azure RTOS USBX host stack a HUB descriptor with `bNbPorts` set to a value greater than `UX_MAX_TT` which defaults to 8. For a `bNbPorts` value of 255, the implementation of `ux_host_class_hub_descriptor_get` function will modify the contents of `hub` -> `ux_host_class_hub_device` -> `ux_device_hub_tt` array violating the end boundary by | [email protected] | 7.5 | 1.13% | 2022-05-24 | 2026-06-17 |
| CVE-2021-38443 | Eclipse CycloneDDS versions prior to 0.8.0 improperly handle invalid structures, which may allow an attacker to write arbitrary values in the XML parser. | [email protected] | 6.6 | 2.19% | 2022-05-05 | 2026-06-17 |
| CVE-2021-38441 | Eclipse CycloneDDS versions prior to 0.8.0 are vulnerable to a write-what-where condition, which may allow an attacker to write arbitrary values in the XML parser. | [email protected] | 6.6 | 2.10% | 2022-05-05 | 2026-06-17 |
| CVE-2021-41041 | In Eclipse Openj9 before version 0.32.0, Java 8 & 11 fail to throw the exception captured during bytecode verification when verification is triggered by a MethodHandle invocation, allowing unverified methods to be invoked using MethodHandles. | [email protected] | 5.3 | 0.98% | 2022-04-26 | 2026-06-17 |
| CVE-2022-0673 | A flaw was found in LemMinX in versions prior to 0.19.0. Cache poisoning of external schema files due to directory traversal. | [email protected] | 6.5 | 0.98% | 2022-02-18 | 2026-06-17 |
| CVE-2022-0672 | A flaw was found in LemMinX in versions prior to 0.19.0. Insecure redirect could allow unauthorized access to sensitive information locally if LemMinX is run under a privileged user. | [email protected] | 5.5 | 0.29% | 2022-02-18 | 2026-06-17 |
| CVE-2021-41040 | In Eclipse Wakaama, ever since its inception until 2021-01-14, the CoAP parsing code does not properly sanitize network-received data. | [email protected] | 7.5 | 1.36% | 2022-02-01 | 2026-06-17 |
| CVE-2021-41039 | In versions 1.6 to 2.0.11 of Eclipse Mosquitto, an MQTT v5 client connecting with a large number of user-property properties could cause excessive CPU usage, leading to a loss of performance and possible denial of service. | [email protected] | 7.5 | 1.26% | 2021-12-01 | 2026-06-17 |
| CVE-2021-41038 | In versions of the @theia/plugin-ext component of Eclipse Theia prior to 1.18.0, Webview contents can be hijacked via postMessage(). | [email protected] | 6.1 | 0.71% | 2021-11-10 | 2026-06-17 |
| CVE-2021-41036 | In versions prior to 1.1 of the Eclipse Paho MQTT C Client, the client does not check rem_len size in readpacket. | [email protected] | 9.8 | 1.17% | 2021-11-02 | 2026-06-17 |
| CVE-2021-41035 | In Eclipse Openj9 before version 0.29.0, the JVM does not throw IllegalAccessError for MethodHandles that invoke inaccessible interface methods. | [email protected] | 9.8 | 1.70% | 2021-10-25 | 2026-06-17 |
| CVE-2021-41034 | The build of some language stacks of Eclipse Che version 6 includes pulling some binaries from an unsecured HTTP endpoint. As a consequence the builds of such stacks are vulnerable to MITM attacks that allow the replacement of the original binaries with arbitrary ones. The stacks involved are Java 8 (alpine and centos), Android and PHP. The vulnerability is not exploitable at runtime but only when building Che. | [email protected] | 8.1 | 0.39% | 2021-09-29 | 2026-06-17 |
| CVE-2021-41033 | In all released versions of Eclipse Equinox, at least until version 4.21 (September 2021), installation can be vulnerable to man-in-the-middle attack if using p2 repos that are HTTP; that can then be exploited to serve incorrect p2 metadata and entirely alter the local installation, particularly by installing plug-ins that may then run malicious code. | [email protected] | 8.1 | 1.05% | 2021-09-13 | 2026-06-17 |
| CVE-2021-32835 | Eclipse Keti is a service that was designed to protect RESTfuls API using Attribute Based Access Control (ABAC). In Keti a sandbox escape vulnerability may lead to post-authentication Remote Code execution. This vulnerability is known to exist in the latest commit at the time of writing this CVE (commit a1c8dbe). For more details see the referenced GHSL-2021-063. | [email protected] | 9.9 | 4.58% | 2021-09-08 | 2026-06-16 |
| CVE-2021-32834 | Eclipse Keti is a service that was designed to protect RESTfuls API using Attribute Based Access Control (ABAC). In Keti a user able to create Policy Sets can run arbitrary code by sending malicious Groovy scripts which will escape the configured Groovy sandbox. This vulnerability is known to exist in the latest commit at the time of writing this CVE (commit a1c8dbe). For more details see the referenced GHSL-2021-063. | [email protected] | 8.2 | 0.92% | 2021-09-08 | 2026-06-16 |
| CVE-2021-34436 | In Eclipse Theia 0.1.1 to 0.2.0, it is possible to exploit the default build to obtain remote code execution (and XXE) via the theia-xml-extension. This extension uses lsp4xml (recently renamed to LemMinX) in order to provide language support for XML. This is installed by default. | [email protected] | 9.8 | 2.15% | 2021-09-02 | 2026-06-16 |
| CVE-2021-34435 | In Eclipse Theia 0.3.9 to 1.8.1, the "mini-browser" extension allows a user to preview HTML files in an iframe inside the IDE. But with the way it is made it is possible for a previewed HTML file to trigger an RCE. This exploit only happens if a user previews a malicious file.. | [email protected] | 8.8 | 0.58% | 2021-09-01 | 2026-06-16 |
| CVE-2021-34434 | In Eclipse Mosquitto versions 2.0 to 2.0.11, when using the dynamic security plugin, if the ability for a client to make subscriptions on a topic is revoked when a durable client is offline, then existing subscriptions for that client are not revoked. | [email protected] | 5.3 | 1.37% | 2021-08-30 | 2026-06-16 |
| CVE-2020-18735 | A heap buffer overflow in /src/dds_stream.c of Eclipse IOT Cyclone DDS Project v0.1.0 causes the DDS subscriber server to crash. | [email protected] | 7.5 | 1.86% | 2021-08-23 | 2026-06-16 |