Spring
CVE-2026-22718
MEDIUM
Severity by source
AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L
Lifecycle Timeline
2DescriptionCVE.org
The VSCode extension for Spring CLI are vulnerable to command injection, resulting in command execution on the users machine.
AnalysisAI
Arbitrary command execution in the VSCode Spring CLI extension allows local users with interactive access to execute arbitrary commands on their machine through unsanitized input. An attacker with local access could exploit this to compromise the affected system, though no patch is currently available.
Technical ContextAI
Classified as CWE-78 (OS Command Injection). The VSCode extension for Spring CLI are vulnerable to command injection, resulting in command execution on the users machine.
Affected ProductsAI
The VSCode extension for Spring CLI are vulnerable to command injection, resulting in command execution on the users machine.
RemediationAI
Monitor vendor advisories for a patch.
Spring Cloud Gateway Server Webflux may be vulnerable to Spring Environment property modification. Rated critical severi
Access control bypass in SpringBlade v4.5.0 importUser function allows low-privileged users to import sensitive user dat
Spring Framework MVC applications can be vulnerable to a “Path Traversal Vulnerability” when deployed on a non-compliant
SpringBlade v4.5.0 has an access control flaw in authRoutes allowing low-privileged users to escalate to admin through t
Spring Security Aspects may not correctly locate method security annotations on private methods. Rated critical severity
EndpointRequest.to() creates a matcher for null/** if the actuator endpoint, for which the EndpointRequest has been crea
Description In Spring Framework, versions 6.0.x as of 6.0.5, versions 6.1.x and 6.2.x, an application is vulnerable to
Spring Security 6.4.0 - 6.4.3 may not correctly locate method security annotations on parameterized types or methods. Ra
Spring Data Geode's snapshot import functionality uses predictable temporary directories with overly permissive permissi
The Spring Framework annotation detection mechanism may not correctly resolve annotations on methods within type hierarc
The Spring Security annotation detection mechanism may not correctly resolve annotations on methods within type hierarch
A vulnerability was found in Exrick xboot up to 3.3.4. Rated medium severity (CVSS 5.5), this vulnerability is remotely
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today