CVE-2026-12856
Received Received - Intake

VS Code Java Extension Markdown Command Injection

Publication date: 2026-06-29

Last updated on: 2026-06-29

Assigner: Red Hat, Inc.

Description
A flaw was found in the vscode-java extension, which provides Java language support for Visual Studio Code. The extension incorrectly trusts all Markdown content in JavaDoc hovers, allowing a malicious Java file to include hidden commands. If a user clicks a specially crafted link within a JavaDoc hover popup, an attacker can execute arbitrary VS Code commands, which can lead to full system compromise in trusted workspaces.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-29
Last Modified
2026-06-29
Generated
2026-06-29
AI Q&A
2026-06-29
EPSS Evaluated
N/A
NVD
CVE-2026-12856
EUVD
EUVD-2026-40084

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
redhat vscode-java_extension *
redhat vscode-java to 2026-06-22 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-88 The product constructs a string for a command to be executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is a command injection flaw found in the vscode-java extension for Visual Studio Code. It specifically affects the JavaDoc hover provider feature, which incorrectly trusts all Markdown content displayed in JavaDoc hovers. This allows a malicious Java file to embed hidden commands. If a user clicks on a specially crafted link within the JavaDoc hover popup, an attacker can execute arbitrary VS Code commands.

This can lead to full system compromise in trusted workspaces because the attacker can run commands with the privileges of the user running Visual Studio Code.

Impact Analysis

The impact of this vulnerability is severe. An attacker can execute arbitrary commands on your system by tricking you into clicking a malicious link in a JavaDoc hover popup within Visual Studio Code.

This can lead to full system compromise, meaning the attacker could gain control over your system, access sensitive data, install malware, or disrupt your workflows.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-12856. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart