Skip to main content

Red Hat Openshift Dev Spaces

1 CVEs product

Monthly

CVE-2026-12856 HIGH PATCH This Week

Arbitrary VS Code command execution in the Red Hat vscode-java extension allows a malicious Java source file to embed hidden commands inside JavaDoc hover Markdown, so that a developer who simply clicks a crafted link in a hover popup triggers attacker-chosen commands that can escalate to full system compromise in trusted workspaces. The flaw stems from the extension rendering JavaDoc hovers as fully-trusted Markdown, and it also affects Red Hat OpenShift Dev Spaces, which bundles the extension. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV, but the network reach combined with only a single click of user interaction makes it high-impact.

Java RCE Red Hat Openshift Dev Spaces
NVD GitHub
CVSS 3.1
8.8
EPSS
0.3%
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Arbitrary VS Code command execution in the Red Hat vscode-java extension allows a malicious Java source file to embed hidden commands inside JavaDoc hover Markdown, so that a developer who simply clicks a crafted link in a hover popup triggers attacker-chosen commands that can escalate to full system compromise in trusted workspaces. The flaw stems from the extension rendering JavaDoc hovers as fully-trusted Markdown, and it also affects Red Hat OpenShift Dev Spaces, which bundles the extension. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV, but the network reach combined with only a single click of user interaction makes it high-impact.

Java RCE Red Hat Openshift Dev Spaces
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy