Open VSX Registry Stored XSS Enables Supply Chain Attack Against VS Code, Cursor, and Windsurf (CVE-2026-13323)
Scope: Open VSX Registry Versions Prior to 1.0.2 (Affects VS Code, VSCodium, Cursor, Windsurf, and Other Editors)
Severity: High
A stored cross-site scripting vulnerability in Open VSX Registry, the open-source extension marketplace used by VS Code alternatives and enterprise-managed deployments, allows authenticated attackers to upload a malicious VSIX extension containing an HTML payload served inline via the /vscode/unpkg/ endpoint without Content Security Policy headers, executing in the open-vsx.org origin context when any authenticated user visits the URL and enabling session token theft, persistent PAT generation, and subsequent publishing of malicious extension versions to the registry. Given that downstream editors including VSCodium, Cursor, and Windsurf pull extensions from Open VSX, a single compromised extension version can propagate malicious code to all developer environments that auto-update, constituting a direct supply chain risk. Organizations should upgrade Open VSX Registry to version 1.0.2, audit all recently published extensions and revoke any compromised tokens, and scan developer workstations for indicators of malicious extension installation.
The Uganda National CERT and Coordination Center (CERT.UG/CC) encourages users and administrators to review the recommendations and apply the necessary updates.