Description
A flaw was found in the vscode-java extension, which provides Java language support for Visual Studio Code. The extension incorrectly trusts all Markdown content in JavaDoc hovers, allowing a malicious Java file to include hidden commands. If a user clicks a specially crafted link within a JavaDoc hover popup, an attacker can execute arbitrary VS Code commands, which can lead to full system compromise in trusted workspaces.
Published: 2026-06-29
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vscode-java extension mistakenly trusts all Markdown content that appears in JavaDoc hover popups. A malicious Java file can embed specially crafted links that, when a user clicks them, cause Visual Studio Code to execute arbitrary VS Code commands. This flaw can lead to full system compromise when the user is working within a trusted OpenShift Dev Spaces workspace, because the extension runs with the workspace's privileges. The weakness is a form of command injection (CWE‑88).

Affected Systems

The vulnerability is present in Red Hat OpenShift Dev Spaces 3, which bundles the vscode‑java extension. The affected vendor and product are Red Hat’s OpenShift Dev Spaces platform. Versions earlier than the fix are impacted; no other versions are known to be vulnerable.

Risk and Exploitability

The CVSS score of 8.8 classifies this flaw as high severity, indicating that an attacker with access to the JavaDoc hover popup can gain control over the VS Code environment and potentially the host system. The EPSS score is not available, so little can be inferred about current exploitation frequency, but the flaw is considered serious due to the wide use of the extension in development environments. The vulnerability is not listed in the CISA KEV catalog, yet it remains a critical local risk because a malicious Java project can be introduced into a trusted workspace; the only prerequisites for exploitation are the presence of the vscode‑java extension, a malicious Java file, and a user clicking a crafted link. The attacker could achieve remote code execution within the workspace, compromising code, data, and the underlying platform.

Generated by OpenCVE AI on June 29, 2026 at 14:21 UTC.

Remediation

Vendor Workaround

To mitigate this issue, users should avoid opening or interacting with untrusted Java projects or files within Red Hat OpenShift Dev Spaces. Exercise caution and refrain from clicking on unfamiliar links presented in JavaDoc hover popups, particularly when working with code from unverified sources. Disabling the `vscode-java` extension when not actively engaged in Java development can further reduce exposure, though this will impact Java-related functionality.


OpenCVE Recommended Actions

  • Avoid opening or interacting with untrusted Java projects or files within Red Hat OpenShift Dev Spaces.
  • Refrain from clicking unfamiliar links presented in JavaDoc hover popups.
  • Disable the vscode‑java extension when not actively engaged in Java development.

Generated by OpenCVE AI on June 29, 2026 at 14:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Redhat openshift Dev Spaces
Vendors & Products Redhat openshift Dev Spaces

Tue, 30 Jun 2026 00:45:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

threat_severity

Important


Mon, 29 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Mon, 29 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Description A flaw was found in the vscode-java extension, which provides Java language support for Visual Studio Code. The extension incorrectly trusts all Markdown content in JavaDoc hovers, allowing a malicious Java file to include hidden commands. If a user clicks a specially crafted link within a JavaDoc hover popup, an attacker can execute arbitrary VS Code commands, which can lead to full system compromise in trusted workspaces.
Title Vscode-java: vscode: command injection vulnerability in the javadoc hover provider of the vscode-java extension
First Time appeared Redhat
Redhat openshift Devspaces
Weaknesses CWE-88
CPEs cpe:/a:redhat:openshift_devspaces:3
Vendors & Products Redhat
Redhat openshift Devspaces
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}


Subscriptions

Redhat Openshift Dev Spaces Openshift Devspaces
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-06-30T12:06:53.061Z

Reserved: 2026-06-22T06:09:52.759Z

Link: CVE-2026-12856

cve-icon Vulnrichment

Updated: 2026-06-29T14:49:31.497Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-29T12:25:07Z

Links: CVE-2026-12856 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T10:04:34Z

Weaknesses
  • CWE-88

    Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')