Skip to main content

Spring CVE-2026-22718

MEDIUM
OS Command Injection (CWE-78)
2026-01-14 security@vmware.com
6.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.8 MEDIUM
AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
Low

Lifecycle Timeline

2
Analysis Generated
Mar 12, 2026 - 21:54 vuln.today
CVE Published
Jan 14, 2026 - 05:16 nvd
MEDIUM 6.8

DescriptionCVE.org

The VSCode extension for Spring CLI are vulnerable to command injection, resulting in command execution on the users machine.

AnalysisAI

Arbitrary command execution in the VSCode Spring CLI extension allows local users with interactive access to execute arbitrary commands on their machine through unsanitized input. An attacker with local access could exploit this to compromise the affected system, though no patch is currently available.

Technical ContextAI

Classified as CWE-78 (OS Command Injection). The VSCode extension for Spring CLI are vulnerable to command injection, resulting in command execution on the users machine.

Affected ProductsAI

The VSCode extension for Spring CLI are vulnerable to command injection, resulting in command execution on the users machine.

RemediationAI

Monitor vendor advisories for a patch.

More in Spring

View all
CVE-2025-41243 CRITICAL POC
10.0 Sep 16

Spring Cloud Gateway Server Webflux may be vulnerable to Spring Environment property modification. Rated critical severi

CVE-2025-70982 CRITICAL POC
9.9 Jan 26

Access control bypass in SpringBlade v4.5.0 importUser function allows low-privileged users to import sensitive user dat

CVE-2025-41242 MEDIUM POC
5.9 Aug 18

Spring Framework MVC applications can be vulnerable to a “Path Traversal Vulnerability” when deployed on a non-compliant

CVE-2025-70983 CRITICAL
9.9 Jan 23

SpringBlade v4.5.0 has an access control flaw in authRoutes allowing low-privileged users to escalate to admin through t

CVE-2025-41232 CRITICAL
9.1 May 21

Spring Security Aspects may not correctly locate method security annotations on private methods. Rated critical severity

CVE-2025-22235 HIGH
7.3 Apr 28

EndpointRequest.to() creates a matcher for null/** if the actuator endpoint, for which the EndpointRequest has been crea

CVE-2025-41234 MEDIUM
6.5 Jun 12

Description In Spring Framework, versions 6.0.x as of 6.0.5, versions 6.1.x and 6.2.x, an application is vulnerable to

CVE-2025-22223 MEDIUM
5.3 Mar 24

Spring Security 6.4.0 - 6.4.3 may not correctly locate method security annotations on parameterized types or methods. Ra

CVE-2026-2817 MEDIUM
4.4 Feb 19

Spring Data Geode's snapshot import functionality uses predictable temporary directories with overly permissive permissi

CVE-2025-41249 HIGH
7.5 Sep 16

The Spring Framework annotation detection mechanism may not correctly resolve annotations on methods within type hierarc

CVE-2025-41248 HIGH
7.5 Sep 16

The Spring Security annotation detection mechanism may not correctly resolve annotations on methods within type hierarch

CVE-2025-8525 MEDIUM POC
5.5 Aug 04

A vulnerability was found in Exrick xboot up to 3.3.4. Rated medium severity (CVSS 5.5), this vulnerability is remotely

Share

CVE-2026-22718 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy