CVE-2026-35454

HIGH SEVERITY

Vulnerability Description

The Code Extension Marketplace is an open-source alternative to the VS Code Marketplace. Prior to 2.4.2, Zip Slip vulnerability in coder/code-marketplace allowed a malicious VSIX file to write arbitrary files outside the extension directory. ExtractZip passed raw zip entry names to a callback that wrote files via filepath.Join with no boundary check; filepath.Join resolved .. components but did not prevent the result from escaping the base path. This vulnerability is fixed in 2.4.2.

Vulnerability Details

Published Date

April 04, 2026

Last Modified

April 07, 2026

CWE ID

CWE-22

Source

GitHub

Vendor

Product

github.com/coder/code-marketplace

External References

https://github.com/coder/code-marketplace/security/advisories/GHSA-8x9r-hvwg-c55h
https://github.com/coder/code-marketplace/commit/988440dee05fceef8400ed725badc604dbf90792
https://github.com/coder/code-marketplace/releases/tag/v2.4.2
https://github.com/advisories/GHSA-8x9r-hvwg-c55h

CVE-2026-35454

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment