CVE-2026-35454

Name of the Vulnerable Software and Affected Versions Coder/code-marketplace versions through 2.4.1

Description A Zip Slip vulnerability allows a malicious VSIX file to write arbitrary files outside the extension directory. The ExtractZip function passes raw zip entry names to a callback that writes files using filepath.Join without a boundary check. filepath.Join resolves '..' components but does not prevent the result from escaping the base path. An authenticated user can submit a VSIX containing path-traversal entries, potentially leading to persistence, SSH key injection, or binary overwrite depending on process privileges.

Recommendations Update to version 2.4.2 or later.