Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Open VSX pre-publish scanning fail-open now patched security flaw

Vulnerability
First reported
Last updated
Happening score
H score 2
1 unique sources, 1 articles

Summary

Hide ▲

A now-patched fail-open bug in Open VSX's pre-publish scanning pipeline could let malicious VS Code extensions bypass vetting and go live in the registry, weakening a key supply-chain control. The flaw came from a single boolean return value that treated scanner failures the same as no scanners configured, so failed scans were waved through. The issue was fixed in Open VSX version 0.32.0 after responsible disclosure on February 8, 2026.

Related Happenings

Windows cldflt.sys MiniPlasma privilege escalation zero-day privilege-escalation flaw

Vulnerability
First: 18.05.2026 07:59 Last: 18.05.2026 07:59 Sources 1

About this happening: **MiniPlasma** is a **Windows privilege-escalation zero-day** in **cldflt.sys** that can give attackers **SYSTEM** privileges on **fully patched Windows systems**. The flaw affect...

Open Happening

Windows cldflt.sys privilege escalation (CVE-2020-17103)

Vulnerability
First: 18.05.2026 01:30 Last: 18.05.2026 01:30 Sources 1

About this happening: A public **MiniPlasma** proof-of-concept has renewed concern around the **Windows cldflt.sys Cloud Filter driver** because it can elevate a **standard user** to **SYSTEM** on **fu...

Open Happening

Windows DNS heap-based buffer overflow remote code execution flaw (CVE-2026-41096)

Vulnerability
First: 13.05.2026 13:36 Last: 13.05.2026 13:36 Sources 1

About this happening: Microsoft patched **CVE-2026-41096**, a **heap-based buffer overflow** in **Windows DNS** that could let an unauthorized attacker execute code remotely on vulnerable Windows syste...

Open Happening

Windows Shell spoofing flaw actively exploited (CVE-2026-32202)

Vulnerability
First: 28.04.2026 08:50 Last: 28.04.2026 08:50 Sources 1

About this happening: **Microsoft** updated **Windows Shell** advisory guidance to confirm **CVE-2026-32202** was **actively exploited in the wild**, raising the risk of sensitive-information disclosur...

Open Happening

GlassWorm v2 cloned VS Code extension loaders

Malware Activity
First: 27.04.2026 14:23 Last: 27.04.2026 14:23 Sources 1

About this happening: The **GlassWorm v2** malware activity now uses **cloned VS Code extensions** on **Open VSX** to deliver payloads that steal credentials, deploy a **RAT**, and spread across multip...

Open Happening

Timeline

  1. 27.03.2026 15:57 1 articles · 2mo ago

    Responsible disclosure of Open VSX fail-open scanning bug

    Initial Disclosure

    On February 8, 2026, Koi Security initiated responsible disclosure for an Open VSX fail-open flaw in the Java-based pre-publish scanning pipeline, where scanner job failures were treated the same as "no scanners are configured." The weakness could let malicious VS Code extensions pass vetting, and an attacker could trigger it by flooding the publish endpoint until the database connection pool was exhausted.

    Show sources
    Open in new tab
  2. 27.03.2026 15:57 2 articles · 2mo ago

    Researchers disclose Open VSX fail-open extension vetting bug

    Technical Analysis Update

    Researchers disclosed a now-patched Open VSX flaw in the pre-publish security checks that let a malicious Microsoft Visual Studio Code (VS Code) extension pass vetting and go live in the registry. Under load, scanner failures were misread as "nothing to scan for," a recovery service inherited the same bug, and Open VSX version 0.32.0 addressed the issue.

    Show sources
    Open in new tab