A flaw was found in the vscode-java extension, which provides Java language support for Visual Studio Code. The extension incorrectly trusts all Markdown content in JavaDoc hovers, allowing a malicious Java file to include hidden commands. If a user clicks a specially crafted link within a JavaDoc hover popup, an attacker can execute arbitrary VS Code commands, which can lead to full system compromise in trusted workspaces.
Metrics
Affected Vendors & Products
References
History
Wed, 08 Jul 2026 17:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| CPEs | cpe:/a:redhat:openshift_devspaces:3.29::el9 | |
| References |
|
Wed, 01 Jul 2026 10:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Redhat openshift Dev Spaces
|
|
| Vendors & Products |
Redhat openshift Dev Spaces
|
Tue, 30 Jun 2026 00:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| References |
| |
| Metrics |
threat_severity
|
threat_severity
|
Mon, 29 Jun 2026 15:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Mon, 29 Jun 2026 13:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | A flaw was found in the vscode-java extension, which provides Java language support for Visual Studio Code. The extension incorrectly trusts all Markdown content in JavaDoc hovers, allowing a malicious Java file to include hidden commands. If a user clicks a specially crafted link within a JavaDoc hover popup, an attacker can execute arbitrary VS Code commands, which can lead to full system compromise in trusted workspaces. | |
| Title | Vscode-java: vscode: command injection vulnerability in the javadoc hover provider of the vscode-java extension | |
| First Time appeared |
Redhat
Redhat openshift Devspaces |
|
| Weaknesses | CWE-88 | |
| CPEs | cpe:/a:redhat:openshift_devspaces:3 | |
| Vendors & Products |
Redhat
Redhat openshift Devspaces |
|
| References |
| |
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: redhat
Published: 2026-06-29T12:33:52.141Z
Updated: 2026-07-09T12:09:59.699Z
Reserved: 2026-06-22T06:09:52.759Z
Link: CVE-2026-12856
Updated: 2026-07-09T12:09:59.699Z
No data.