CVE Catalog

CVE-2026-12856

HighCVSS 8.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.29%

21th percentile - higher than 21% of all known CVEs

Summary

A flaw was found in the vscode-java extension for Visual Studio Code, where it incorrectly trusts all Markdown content in JavaDoc hovers. A malicious Java file can hide commands, and if a user clicks a specially crafted link in a JavaDoc hover popup, an attacker can execute arbitrary VS Code commands.

Risk Assessment

The risk for the organization includes potential full system compromise in trusted workspaces, which could lead to data theft, malware installation, or further propagation of the attack within the network.

Recommendation

It is recommended to immediately update the vscode-java extension to the latest patched version and train users not to click on suspicious links in JavaDoc hovers.

Original NVD description (English source)

A flaw was found in the vscode-java extension, which provides Java language support for Visual Studio Code. The extension incorrectly trusts all Markdown content in JavaDoc hovers, allowing a malicious Java file to include hidden commands. If a user clicks a specially crafted link within a JavaDoc hover popup, an attacker can execute arbitrary VS Code commands, which can lead to full system compromise in trusted workspaces.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS