CVE-2026-22718
Command Injection in VSCode Spring CLI Extension Enables Code Execution
Publication date: 2026-01-14
Last updated on: 2026-01-14
Assigner: VMware
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| vmware | spring_cli | to 0.9.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
If exploited, this vulnerability can allow an attacker to execute arbitrary commands on your machine, potentially leading to unauthorized access, data compromise, or system manipulation. It poses high risks to confidentiality and integrity of your system, although the availability impact is low. [1]
What immediate steps should I take to mitigate this vulnerability?
The recommended immediate step to mitigate this vulnerability is to remove the vulnerable VSCode extension for Spring CLI from your development environment, especially if it is version 0.9.0 or older. [1]
Can you explain this vulnerability to me?
This vulnerability is a command injection flaw in the VSCode extension for Spring CLI (versions 0.9.0 and older). It allows an attacker to execute arbitrary commands on the user's machine through the compromised extension. The extension is no longer supported and reached end-of-life on May 14, 2025. [1]