In Eclipse Theia versions up to and including 1.2.0, the Markdown Preview (@theia/preview), can be exploited to execute arbitrary code.

Cross-site Scripting (XSS) in Eclipse Theia