Vulnerability Details CVE-2026-12856
A flaw was found in the vscode-java extension, which provides Java language support for Visual Studio Code. The extension incorrectly trusts all Markdown content in JavaDoc hovers, allowing a malicious Java file to include hidden commands. If a user clicks a specially crafted link within a JavaDoc hover popup, an attacker can execute arbitrary VS Code commands, which can lead to full system compromise in trusted workspaces.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.003
EPSS Ranking 21.0%
CVSS Severity
CVSS v3 Score 8.8
Products affected by CVE-2026-12856
-
cpe:2.3:a:redhat:openshift_dev_spaces:-