CVE-2026-1699HIGH 8.8EPSS p39.0%

CVE-2026-1699CVE-2026-1699

Description

In the Eclipse Theia Website repository, the GitHub Actions workflow .github/workflows/preview.yml used pull_request_target trigger while checking out and executing untrusted pull request code. This allowed any GitHub user to execute arbitrary code in the repository's CI environment with access to repository secrets and a GITHUB_TOKEN with extensive write permissions (contents:write, packages:write, pages:write, actions:write). An attacker could exfiltrate secrets, publish malicious packages to the eclipse-theia organization, modify the official Theia website, and push malicious code to the repository.

Scoring

CVSS 3.18.8 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS0.50% probability of exploitation · percentile 39.0% · 2026-06-18T12:00:27Z
Published2026-01-30
Last modified2026-03-10

Underlying weaknesses· 1

CWE-829

References

  1. https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/332

1

TypeTargetConfidenceTier
WeaknessInclusion of Functionality from Untrusted Control Spherecwe-8290%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-22869
CVE
CVE-2026-42603
CVE
CVE-2026-27941
CVE
tj-actions/changed-files GitHub Action Embedded Malicious Code Vulnerability
CVE
CVE-2026-3136
CVE
CVE-2025-31479
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.