CVE-2026-12856
HighCVSS 8.8Exploitation Probability (EPSS)
Low risk21th percentile - higher than 21% of all known CVEs
Summary
A flaw was found in the vscode-java extension for Visual Studio Code, where it incorrectly trusts all Markdown content in JavaDoc hovers. A malicious Java file can hide commands, and if a user clicks a specially crafted link in a JavaDoc hover popup, an attacker can execute arbitrary VS Code commands.
Risk Assessment
The risk for the organization includes potential full system compromise in trusted workspaces, which could lead to data theft, malware installation, or further propagation of the attack within the network.
Recommendation
It is recommended to immediately update the vscode-java extension to the latest patched version and train users not to click on suspicious links in JavaDoc hovers.
Original NVD description (English source)
A flaw was found in the vscode-java extension, which provides Java language support for Visual Studio Code. The extension incorrectly trusts all Markdown content in JavaDoc hovers, allowing a malicious Java file to include hidden commands. If a user clicks a specially crafted link within a JavaDoc hover popup, an attacker can execute arbitrary VS Code commands, which can lead to full system compromise in trusted workspaces.

