Unsafe Dependency Resolution Affecting @theia/debug package, versions <1.69.0
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-JS-THEIADEBUG-17391871
- published21 Jun 2026
- disclosed18 Jun 2026
- creditPiotr Ryciak
Introduced: 18 Jun 2026
NewCVE-2026-44691 (opens in a new tab)Common Vulnerabilities and Exposures (CVE) are common identifiers for publicly known security vulnerabilities
Common Weakness Enumeration (CWE) is a category system for software weaknesses
How to fix?
Upgrade @theia/debug to version 1.69.0 or higher.
Overview
@theia/debug is a Theia - Debug Extension
Affected versions of this package are vulnerable to Unsafe Dependency Resolution in the processing of custom task definitions from workspace configuration files. An attacker can execute arbitrary commands with the user's privileges by crafting a malicious repository that, when cloned and opened, triggers execution of these commands. This can be automatically exploited by sending a message in the AI chat if the workspace settings disable tool confirmation.