Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Malicious file is delivered remotely (AV:N) and trivially crafted (AC:L) with no auth (PR:N) but needs the victim's click (UI:R), and command execution yields full host compromise (C/I/A:H).
Primary rating from Vendor (redhat).
CVSS VectorVendor: redhat
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
A flaw was found in the vscode-java extension, which provides Java language support for Visual Studio Code. The extension incorrectly trusts all Markdown content in JavaDoc hovers, allowing a malicious Java file to include hidden commands. If a user clicks a specially crafted link within a JavaDoc hover popup, an attacker can execute arbitrary VS Code commands, which can lead to full system compromise in trusted workspaces.
AnalysisAI
Arbitrary VS Code command execution in the Red Hat vscode-java extension allows a malicious Java source file to embed hidden commands inside JavaDoc hover Markdown, so that a developer who simply clicks a crafted link in a hover popup triggers attacker-chosen commands that can escalate to full system compromise in trusted workspaces. The flaw stems from the extension rendering JavaDoc hovers as fully-trusted Markdown, and it also affects Red Hat OpenShift Dev Spaces, which bundles the extension. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the victim to open an attacker-supplied Java file/project in vscode-java, display a JavaDoc hover popup for an attacker-controlled symbol, and click a maliciously crafted link embedded in that hover's Markdown; the workspace must be in trusted (non-Restricted) mode for the injected VS Code commands to execute. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, base 8.8) indicates a network-reachable, low-complexity, unauthenticated path with high confidentiality, integrity and availability impact, gated only by required user interaction. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker publishes a seemingly legitimate Java library or sample project to a public repository, with a class whose JavaDoc comment embeds a malicious command: link disguised as ordinary documentation. A developer clones and opens it in VS Code with the Java extension in a trusted workspace, hovers a method to read its docs, and clicks the link - executing arbitrary VS Code commands that can run code and compromise the host. … |
| Remediation | Patch available per vendor advisory: update the vscode-java extension to the fixed release referenced in GHSA-7qv8-6qrw-3crv (https://github.com/redhat-developer/vscode-java/security/advisories/GHSA-7qv8-6qrw-3crv) and apply the corresponding Red Hat OpenShift Dev Spaces update per https://access.redhat.com/security/cve/CVE-2026-12856 - an exact fixed version number was not provided in the input data and should be taken directly from those advisories rather than assumed. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all developers and environments using vscode-java extension and OpenShift Dev Spaces; issue security notice to cease opening untrusted Java source files. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m
Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti
Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent
Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug
JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 up
Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Up
The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allow
Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla
The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during
Vendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40084
GHSA-7vqr-7r5j-c84j