CVE-2026-12856
Modified Modified - Updated After Analysis

VS Code Java Extension Markdown Command Injection

Vulnerability report for CVE-2026-12856, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-29

Last updated on: 2026-07-15

Assigner: Red Hat, Inc.

Description

A flaw was found in the vscode-java extension, which provides Java language support for Visual Studio Code. The extension incorrectly trusts all Markdown content in JavaDoc hovers, allowing a malicious Java file to include hidden commands. If a user clicks a specially crafted link within a JavaDoc hover popup, an attacker can execute arbitrary VS Code commands, which can lead to full system compromise in trusted workspaces.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-29
Last Modified
2026-07-15
Generated
2026-07-19
AI Q&A
2026-06-29
EPSS Evaluated
2026-07-18
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
redhat openshift_dev_spaces *

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-88 The product constructs a string for a command to be executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is a command injection flaw found in the vscode-java extension for Visual Studio Code. It specifically affects the JavaDoc hover provider feature, which incorrectly trusts all Markdown content displayed in JavaDoc hovers. This allows a malicious Java file to embed hidden commands. If a user clicks on a specially crafted link within the JavaDoc hover popup, an attacker can execute arbitrary VS Code commands.

This can lead to full system compromise in trusted workspaces because the attacker can run commands with the privileges of the user running Visual Studio Code.

Detection Guidance

There is no specific detection method or commands provided in the available information to identify this vulnerability on your network or system.

Mitigation advice includes avoiding untrusted Java projects, refraining from clicking unfamiliar links in JavaDoc popups, and disabling the vscode-java extension when not in use.

Impact Analysis

The impact of this vulnerability is severe. An attacker can execute arbitrary commands on your system by tricking you into clicking a malicious link in a JavaDoc hover popup within Visual Studio Code.

This can lead to full system compromise, meaning the attacker could gain control over your system, access sensitive data, install malware, or disrupt your workflows.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Mitigation Strategies

To mitigate this vulnerability, you should avoid clicking on any suspicious or untrusted JavaDoc hover links within the vscode-java extension in Visual Studio Code.

Additionally, monitor for updates or patches from the extension maintainers or Red Hat and apply them as soon as they become available.

Consider restricting the use of the vscode-java extension in untrusted workspaces to reduce the risk of exploitation.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-12856. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart