Skip to main content

vscode-java CVE-2026-12856

| EUVDEUVD-2026-40084 HIGH
Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') (CWE-88)
2026-06-29 redhat GHSA-7vqr-7r5j-c84j
8.8
CVSS 3.1 · Vendor: redhat
Share

Severity by source

Vendor (redhat) PRIMARY
8.8 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
vuln.today AI
8.8 HIGH

Malicious file is delivered remotely (AV:N) and trivially crafted (AC:L) with no auth (PR:N) but needs the victim's click (UI:R), and command execution yields full host compromise (C/I/A:H).

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Red Hat
8.8 HIGH
qualitative

Primary rating from Vendor (redhat).

CVSS VectorVendor: redhat

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 29, 2026 - 14:24 vuln.today

DescriptionCVE.org

A flaw was found in the vscode-java extension, which provides Java language support for Visual Studio Code. The extension incorrectly trusts all Markdown content in JavaDoc hovers, allowing a malicious Java file to include hidden commands. If a user clicks a specially crafted link within a JavaDoc hover popup, an attacker can execute arbitrary VS Code commands, which can lead to full system compromise in trusted workspaces.

AnalysisAI

Arbitrary VS Code command execution in the Red Hat vscode-java extension allows a malicious Java source file to embed hidden commands inside JavaDoc hover Markdown, so that a developer who simply clicks a crafted link in a hover popup triggers attacker-chosen commands that can escalate to full system compromise in trusted workspaces. The flaw stems from the extension rendering JavaDoc hovers as fully-trusted Markdown, and it also affects Red Hat OpenShift Dev Spaces, which bundles the extension. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft Java file with malicious JavaDoc link
Delivery
Deliver via public repo or shared project
Exploit
Victim opens project in trusted workspace
Execution
Victim hovers and clicks JavaDoc link
Persist
Arbitrary VS Code commands execute
Impact
Full host compromise

Vulnerability AssessmentAI

Exploitation Exploitation requires the victim to open an attacker-supplied Java file/project in vscode-java, display a JavaDoc hover popup for an attacker-controlled symbol, and click a maliciously crafted link embedded in that hover's Markdown; the workspace must be in trusted (non-Restricted) mode for the injected VS Code commands to execute. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, base 8.8) indicates a network-reachable, low-complexity, unauthenticated path with high confidentiality, integrity and availability impact, gated only by required user interaction. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker publishes a seemingly legitimate Java library or sample project to a public repository, with a class whose JavaDoc comment embeds a malicious command: link disguised as ordinary documentation. A developer clones and opens it in VS Code with the Java extension in a trusted workspace, hovers a method to read its docs, and clicks the link - executing arbitrary VS Code commands that can run code and compromise the host. …
Remediation Patch available per vendor advisory: update the vscode-java extension to the fixed release referenced in GHSA-7qv8-6qrw-3crv (https://github.com/redhat-developer/vscode-java/security/advisories/GHSA-7qv8-6qrw-3crv) and apply the corresponding Red Hat OpenShift Dev Spaces update per https://access.redhat.com/security/cve/CVE-2026-12856 - an exact fixed version number was not provided in the input data and should be taken directly from those advisories rather than assumed. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all developers and environments using vscode-java extension and OpenShift Dev Spaces; issue security notice to cease opening untrusted Java source files. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Java

View all
CVE-2012-4681 CRITICAL POC
9.8 Aug 28

Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m

CVE-2015-7450 CRITICAL POC
9.8 Jan 02

Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti

CVE-2013-2465 CRITICAL POC
9.8 Jun 18

Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent

CVE-2011-3544 CRITICAL POC
9.8 Oct 19

Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug

CVE-2010-1871 HIGH POC
8.8 Aug 05

JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to

CVE-2012-1723 CRITICAL POC
9.8 Jun 16

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 up

CVE-2013-0422 CRITICAL POC
9.8 Jan 10

Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using

CVE-2012-0507 CRITICAL POC
9.8 Jun 07

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Up

CVE-2015-4852 CRITICAL POC
9.8 Nov 18

The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers

CVE-2012-5076 CRITICAL POC
9.8 Oct 16

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allow

CVE-2017-3066 CRITICAL POC
9.8 Apr 27

Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla

CVE-2012-0391 CRITICAL POC
9.8 Jan 08

The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during

Vendor StatusVendor

Share

CVE-2026-12856 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy