VYPR
Vendor

Coder

Products
3
CVEs
9
Across products
9
Status
Private

Products

3

Recent CVEs

9
  • CVE-2026-46354criMay 19, 2026
    risk 0.52cvss epss 0.00

    ## Summary `azureidentity.Validate()` verifies that the PKCS#7 signer certificate chains to a trusted Azure CA but never verifies the PKCS#7 signature itself. An attacker can embed a legitimate Azure certificate alongside arbitrary content e.g. `{"vmId":""}` and the…

  • CVE-2025-47269HigMay 9, 2025
    risk 0.50cvss 8.3epss 0.34

    code-server runs VS Code on any machine anywhere through browser access. Prior to version 4.99.4, a maliciously crafted URL using the proxy subpath can result in the attacker gaining access to the session token. Failure to properly validate the port for a proxy request can…

  • CVE-2026-35454MedApr 6, 2026
    risk 0.35cvss 6.5epss 0.00

    The Code Extension Marketplace is an open-source alternative to the VS Code Marketplace. Prior to 2.4.2, Zip Slip vulnerability in coder/code-marketplace allowed a malicious VSIX file to write arbitrary files outside the extension directory. ExtractZip passed raw zip entry names…

  • CVE-2024-13726Feb 17, 2025
    risk 0.01cvss epss 0.02

    The Coder WordPress plugin through 1.3.4 does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection

  • CVE-2026-45796May 19, 2026
    risk 0.00cvss epss 0.00

    ## Summary Unauthenticated semi-blind Server-Side Request Forgery (SSRF) via the Azure instance identity endpoint (`POST /api/v2/workspaceagents/azure-instance-identity`). An external attacker can force the Coder server to issue HTTP GET requests to arbitrary internal or…

  • CVE-2025-66411Dec 3, 2025
    risk 0.00cvss epss 0.00

    Coder allows organizations to provision remote development environments via Terraform. Prior to 2.26.5, 2.27.7, and 2.28.4, Workspace Agent manifests containing sensitive values were logged in plaintext unsanitized. An attacker with limited local access to the Coder Workspace…

  • CVE-2025-58437Sep 6, 2025
    risk 0.00cvss epss 0.00

    Coder allows organizations to provision remote development environments via Terraform. In versions 2.22.0 through 2.24.3, 2.25.0 and 2.25.1, Coder can be compromised through insecure session handling in prebuilt workspaces. Coder automatically generates a session token for a…

  • CVE-2024-27918Mar 6, 2024
    risk 0.00cvss epss 0.01

    Coder allows oragnizations to provision remote development environments via Terraform. Prior to versions 2.6.1, 2.7.3, and 2.8.4, a vulnerability in Coder's OIDC authentication could allow an attacker to bypass the `CODER_OIDC_EMAIL_DOMAIN` verification and create an account…

  • CVE-2021-42648May 11, 2022
    risk 0.00cvss epss 0.01

    Cross-site scripting (XSS) vulnerability exists in Coder Code-Server before 3.12.0, allows attackers to execute arbitrary code via crafted URL.