CVE-2026-12856
HIGHDescription
A flaw was found in the vscode-java extension, which provides Java language support for Visual Studio Code. The extension incorrectly trusts all Markdown content in JavaDoc hovers, allowing a malicious Java file to include hidden commands. If a user clicks a specially crafted link within a JavaDoc hover popup, an attacker can execute arbitrary VS Code commands, which can lead to full system compromise in trusted workspaces.
CVSS v3.1 Score
EPSS — Exploit Prediction
EPSS estimates the probability that this vulnerability will be exploited in the wild within the next 30 days. A higher score means more likely to be exploited.
Weakness Type (CWE)
References
Other References
Frequently Asked Questions
What is CVE-2026-12856? +
How severe is CVE-2026-12856? +
How do I check if I'm vulnerable to CVE-2026-12856? +
Related Vulnerabilities
Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') vulnerability in Nomachine allows Argument Injection.This issue affects Nomachine: before …
Atril Document Viewer is the default document reader of the MATE desktop environment for Linux. A single-click remote code execution …
Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') vulnerability in CRESTRON TOUCHSCREENS x70 allows Argument Injection.This issue affects …
Easywall 0.3.1 allows authenticated remote command execution via a command injection vulnerability in the /ports-save endpoint that suffers from a …
XZ Utils provide a general-purpose data-compression library plus command-line tools. When built for native Windows (MinGW-w64 or MSVC), the command …
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior …