Description
The VSCode extension for Spring CLI are vulnerable to command injection, resulting in command execution on the users machine.
Published: 2026-01-14
Score: 6.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Command Execution
Action: Apply Patch
AI Analysis

Impact

The vulnerability is a command injection flaw in the Spring CLI VSCode Extension. An attacker can cause the extension to run arbitrary shell commands on the host system, potentially compromising confidentiality, integrity, and availability of the machine.

Affected Systems

The Spring CLI VSCode Extension for Visual Studio Code is vulnerable. No specific affected versions are listed in the advisory.

Risk and Exploitability

The CVSS score of 6.8 indicates moderate severity. The EPSS score is below 1 %, implying a low likelihood of exploitation in the wild. Based on the description, the likely attack vector is local and requires the extension to be installed; an adversary would typically need user interaction or local privileges to trigger the injection. The vulnerability is not in the CISA KEV catalog, so no publicly known exploitation has been reported.

Generated by OpenCVE AI on April 18, 2026 at 16:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Spring CLI VSCode Extension to the latest patched release from spring.io or the Visual Studio Code Marketplace.
  • If a patch is not yet available, uninstall or disable the extension for users who do not require Spring CLI functionality.
  • Enable VSCode’s Workspace Trust setting to prevent extensions from running in untrusted directories and enforce least privilege for users.
  • Verify that the extension properly validates or escapes any input passed to system commands to mitigate similar injection issues in the future.

Generated by OpenCVE AI on April 18, 2026 at 16:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://spring.io/security/cve-2026-22718 cve-icon cve-icon
History

Wed, 14 Jan 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 14 Jan 2026 11:15:00 +0000

Type Values Removed Values Added
First Time appeared Spring
Spring cli Vscode Extension
Vendors & Products Spring
Spring cli Vscode Extension

Wed, 14 Jan 2026 05:15:00 +0000

Type Values Removed Values Added
Description The VSCode extension for Spring CLI are vulnerable to command injection, resulting in command execution on the users machine.
Title Command injection vulnerability
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 6.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L'}

Subscriptions

Spring Cli Vscode Extension
cve-icon MITRE

Status: PUBLISHED

Assigner: vmware

Published:

Updated: 2026-01-14T14:19:10.368Z

Reserved: 2026-01-09T06:54:36.841Z

Link: CVE-2026-22718

cve-icon Vulnrichment

Updated: 2026-01-14T14:18:59.979Z

cve-icon NVD

Status : Deferred

Published: 2026-01-14T05:16:34.570

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-22718

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T16:30:05Z

Weaknesses