CVE-2026-12856 PUBLISHED

Vscode-java: vscode: command injection vulnerability in the javadoc hover provider of the vscode-java extension

Assigner: redhat
Reserved: 22.06.2026 Published: 29.06.2026 Updated: 29.06.2026

A flaw was found in the vscode-java extension, which provides Java language support for Visual Studio Code. The extension incorrectly trusts all Markdown content in JavaDoc hovers, allowing a malicious Java file to include hidden commands. If a user clicks a specially crafted link within a JavaDoc hover popup, an attacker can execute arbitrary VS Code commands, which can lead to full system compromise in trusted workspaces.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVSS Score: 8.8

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	None	Integrity Impact	High
User Interaction	Required	Availability Impact	High

CVSS 3.1

Product Status

Vendor	Red Hat
Product	Red Hat OpenShift Dev Spaces
Versions	Default: affected

Workarounds

To mitigate this issue, users should avoid opening or interacting with untrusted Java projects or files within Red Hat OpenShift Dev Spaces. Exercise caution and refrain from clicking on unfamiliar links presented in JavaDoc hover popups, particularly when working with code from unverified sources. Disabling the vscode-java extension when not actively engaged in Java development can further reduce exposure, though this will impact Java-related functionality.

Credits

Red Hat would like to thank byte256 for reporting this issue.

References

Problem Types

Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') CWE