Researchers have shared information about a bug that has now been fixed that affected Open VSX's pre-publish scanning pipeline. The bug let a harmful Microsoft Visual Studio Code extension get past the vetting process and go live in the registry. A recovery service that was supposed to try again failed scans had the same issue.
An attacker can use this flaw to send a lot of bad . to the publish endpoint.VSIX extensions that make the database connection pool run out of connections when there are too many requests at once. This, in turn, causes scan jobs to not be able to enqueue. Last month, Open VSZ version 0.32.0 fixed the problem after it was responsibly reported on February 8, 2026.
Koi, who goes by the name Open Sesame, found the flaw. The most recent version of the tool, 0.31.0, has fixed it. This vulnerability can be triggered by anyone who doesn't have any special permissions.
A bad person with a free publisher account could have easily used this flaw to mess up the scanning process and get their extension published. Koi said, "The design of the pipeline is good, but a single boolean that couldn't tell the difference between 'nothing to do' and 'something went wrong' turned the whole thing into a gate that opened under pressure."
