汇总 coder 相关全部产品的 CVE 与安全漏洞情报,包括 CVSS、EPSS、公开时间与漏洞情报数据。
已披露问题常与 跨站脚本、路径处理缺陷与输入验证问题 相关,可能在 软件部署与生产负载 场景中带来 异常行为与文件覆盖 等暴露风险。
相关漏洞数据主要来源于公开漏洞披露与安全公告,可用于评估历史漏洞暴露面与修复优先级。
| CVE | 摘要 | 来源 | 最高 CVSS | EPSS % | 公开时间 | 更新时间 |
|---|---|---|---|---|---|---|
| CVE-2026-35454 | The Code Extension Marketplace is an open-source alternative to the VS Code Marketplace. Prior to 2.4.2, Zip Slip vulnerability in coder/code-marketplace allowed a malicious VSIX file to write arbitrary files outside the extension directory. ExtractZip passed raw zip entry names to a callback that wrote files via filepath.Join with no boundary check; filepath.Join resolved .. components but did not prevent the result from escaping the base path. This vulnerability is fixed in 2.4.2. | [email protected] | 8.7 | 0.34% | 2026-04-06 | 2026-06-17 |
| CVE-2025-66411 | Coder allows organizations to provision remote development environments via Terraform. Prior to 2.26.5, 2.27.7, and 2.28.4, Workspace Agent manifests containing sensitive values were logged in plaintext unsanitized. An attacker with limited local access to the Coder Workspace (VM, K8s Pod etc.) or a third-party system (SIEM, logging stack) could access those logs. This vulnerability is fixed in 2.26.5, 2.27.7, and 2.28.4. | [email protected] | 7.8 | 0.19% | 2025-12-03 | 2026-06-17 |
| CVE-2025-59956 | AgentAPI is an HTTP API for Claude Code, Goose, Aider, Gemini, Amp, and Codex. Versions 0.3.3 and below are susceptible to a client-side DNS rebinding attack when hosted over plain HTTP on localhost. An attacker can gain access to the /messages endpoint served by the Agent API. This allows for the unauthorized exfiltration of sensitive user data, specifically local message history, which can include secret keys, file system contents, and intellectual property the user was working on locally. Thi | [email protected] | 6.5 | 0.39% | 2025-09-30 | 2026-06-17 |
| CVE-2025-58437 | Coder allows organizations to provision remote development environments via Terraform. In versions 2.22.0 through 2.24.3, 2.25.0 and 2.25.1, Coder can be compromised through insecure session handling in prebuilt workspaces. Coder automatically generates a session token for a user when a workspace is started. It is automatically exposed via coder_workspace_owner.session_token. Prebuilt workspaces are initially owned by a built-in prebuilds system user. When a prebuilt workspace is claimed, a new | [email protected] | 8.1 | 0.35% | 2025-09-05 | 2026-06-17 |
| CVE-2024-27918 | Coder allows oragnizations to provision remote development environments via Terraform. Prior to versions 2.6.1, 2.7.3, and 2.8.4, a vulnerability in Coder's OIDC authentication could allow an attacker to bypass the `CODER_OIDC_EMAIL_DOMAIN` verification and create an account with an email not in the allowlist. Deployments are only affected if the OIDC provider allows users to create accounts on the provider. During OIDC registration, the user's email was improperly validated against the allowed | [email protected] | 8.2 | 0.97% | 2024-03-20 | 2026-06-17 |
| CVE-2023-26114 | Versions of the package code-server before 4.10.1 are vulnerable to Missing Origin Validation in WebSockets handshakes. Exploiting this vulnerability can allow an adversary in specific scenarios to access data from and connect to the code-server instance. | [email protected] | 8.2 | 0.34% | 2023-03-23 | 2026-06-17 |
| CVE-2021-42648 | Cross-site scripting (XSS) vulnerability exists in Coder Code-Server before 3.12.0, allows attackers to execute arbitrary code via crafted URL. | [email protected] | 6.1 | 0.77% | 2022-05-11 | 2026-06-17 |
| CVE-2021-3810 | code-server is vulnerable to Inefficient Regular Expression Complexity | [email protected] | 7.5 | 1.22% | 2021-09-17 | 2026-06-17 |