Search
Find a vulnerability
Search criteria
2 vulnerabilities found for Red Hat OpenShift Dev Spaces 3.29 by Red Hat
CVE-2026-12856 (GCVE-0-2026-12856)
Vulnerability from nvd – Published: 2026-06-29 12:33 – Updated: 2026-07-09 12:09
VLAI
EPSS
VEX
Title
Vscode-java: vscode: command injection vulnerability in the javadoc hover provider of the vscode-java extension
Summary
A flaw was found in the vscode-java extension, which provides Java language support for Visual Studio Code. The extension incorrectly trusts all Markdown content in JavaDoc hovers, allowing a malicious Java file to include hidden commands. If a user clicks a specially crafted link within a JavaDoc hover popup, an attacker can execute arbitrary VS Code commands, which can lead to full system compromise in trusted workspaces.
Severity
8.8 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-88 - Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://access.redhat.com/errata/RHSA-2026:36820 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/security/cve/CVE-2026-12856 | vdb-entryx_refsource_REDHAT |
| https://bugzilla.redhat.com/show_bug.cgi?id=2491278 | issue-trackingx_refsource_REDHAT |
| https://github.com/redhat-developer/vscode-java/s… | |
| https://security.access.redhat.com/data/csaf/v2/v… | x_sadp-csaf-vex |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Red Hat | Red Hat OpenShift Dev Spaces 3.29 |
Unaffected:
1782989367 , < *
(rpm)
cpe:/a:redhat:openshift_devspaces:3.29::el9 |
|
| Red Hat | Red Hat OpenShift Dev Spaces 3.29 |
cpe:/a:redhat:openshift_devspaces:3.29::el9 |
Date Public
2026-06-29 12:25
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-12856",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-29T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T03:55:31.282Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"affected": [
{
"cpes": [
"cpe:/a:redhat:openshift_devspaces:3.29::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Dev Spaces 3.29",
"vendor": "Red Hat"
}
],
"datePublic": "2026-06-29T12:25:07.165Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in the vscode-java extension, which provides Java language support for Visual Studio Code. The extension incorrectly trusts all Markdown content in JavaDoc hovers, allowing a malicious Java file to include hidden commands. If a user clicks a specially crafted link within a JavaDoc hover popup, an attacker can execute arbitrary VS Code commands, which can lead to full system compromise in trusted workspaces."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-88",
"description": "Improper Neutralization of Argument Delimiters in a Command (\u0027Argument Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T12:09:59.699Z",
"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"shortName": "redhat-SADP"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-12856"
},
{
"name": "RHBZ#2491278",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2491278"
},
{
"tags": [
"x_sadp-csaf-vex"
],
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-12856.json"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:36820"
}
],
"solutions": [
{
"lang": "en",
"value": "RHSA-2026:36820: Red Hat OpenShift Dev Spaces 3.29"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-20T17:33:27.000Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-06-29T12:25:07.165Z",
"value": "Made public."
}
],
"title": "vscode-java: vscode: Command Injection vulnerability in the JavaDoc hover provider of the vscode-java extension",
"workarounds": [
{
"lang": "en",
"value": "To mitigate this issue, users should avoid opening or interacting with untrusted Java projects or files within Red Hat OpenShift Dev Spaces. Exercise caution and refrain from clicking on unfamiliar links presented in JavaDoc hover popups, particularly when working with code from unverified sources. Disabling the `vscode-java` extension when not actively engaged in Java development can further reduce exposure, though this will impact Java-related functionality."
}
],
"x_adpType": "supplier",
"x_generator": {
"engine": "sadp-cli 1.0.0"
}
}
],
"cna": {
"affected": [
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:openshift_devspaces:3.29::el9"
],
"defaultStatus": "affected",
"packageName": "devspaces/pluginregistry-rhel9",
"product": "Red Hat OpenShift Dev Spaces 3.29",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "1782989367",
"versionType": "rpm"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Red Hat would like to thank byte256 for reporting this issue."
}
],
"datePublic": "2026-06-29T12:25:07.165Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in the vscode-java extension, which provides Java language support for Visual Studio Code. The extension incorrectly trusts all Markdown content in JavaDoc hovers, allowing a malicious Java file to include hidden commands. If a user clicks a specially crafted link within a JavaDoc hover popup, an attacker can execute arbitrary VS Code commands, which can lead to full system compromise in trusted workspaces."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-88",
"description": "Improper Neutralization of Argument Delimiters in a Command (\u0027Argument Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-08T17:15:08.952Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "RHSA-2026:36820",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:36820"
},
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-12856"
},
{
"name": "RHBZ#2491278",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2491278"
},
{
"url": "https://github.com/redhat-developer/vscode-java/security/advisories/GHSA-7qv8-6qrw-3crv"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-20T17:33:27.000Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-06-29T12:25:07.165Z",
"value": "Made public."
}
],
"title": "Vscode-java: vscode: command injection vulnerability in the javadoc hover provider of the vscode-java extension",
"workarounds": [
{
"lang": "en",
"value": "To mitigate this issue, users should avoid opening or interacting with untrusted Java projects or files within Red Hat OpenShift Dev Spaces. Exercise caution and refrain from clicking on unfamiliar links presented in JavaDoc hover popups, particularly when working with code from unverified sources. Disabling the `vscode-java` extension when not actively engaged in Java development can further reduce exposure, though this will impact Java-related functionality."
}
],
"x_generator": {
"engine": "cvelib 1.8.0"
},
"x_redhatCweChain": "CWE-88: Improper Neutralization of Argument Delimiters in a Command (\u0027Argument Injection\u0027)"
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2026-12856",
"datePublished": "2026-06-29T12:33:52.141Z",
"dateReserved": "2026-06-22T06:09:52.759Z",
"dateUpdated": "2026-07-09T12:09:59.699Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-12856 (GCVE-0-2026-12856)
Vulnerability from cvelistv5 – Published: 2026-06-29 12:33 – Updated: 2026-07-09 12:09
VLAI
EPSS
VEX
Title
Vscode-java: vscode: command injection vulnerability in the javadoc hover provider of the vscode-java extension
Summary
A flaw was found in the vscode-java extension, which provides Java language support for Visual Studio Code. The extension incorrectly trusts all Markdown content in JavaDoc hovers, allowing a malicious Java file to include hidden commands. If a user clicks a specially crafted link within a JavaDoc hover popup, an attacker can execute arbitrary VS Code commands, which can lead to full system compromise in trusted workspaces.
Severity
8.8 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-88 - Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://access.redhat.com/errata/RHSA-2026:36820 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/security/cve/CVE-2026-12856 | vdb-entryx_refsource_REDHAT |
| https://bugzilla.redhat.com/show_bug.cgi?id=2491278 | issue-trackingx_refsource_REDHAT |
| https://github.com/redhat-developer/vscode-java/s… | |
| https://security.access.redhat.com/data/csaf/v2/v… | x_sadp-csaf-vex |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Red Hat | Red Hat OpenShift Dev Spaces 3.29 |
Unaffected:
1782989367 , < *
(rpm)
cpe:/a:redhat:openshift_devspaces:3.29::el9 |
|
| Red Hat | Red Hat OpenShift Dev Spaces 3.29 |
cpe:/a:redhat:openshift_devspaces:3.29::el9 |
Date Public
2026-06-29 12:25
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-12856",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-29T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T03:55:31.282Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"affected": [
{
"cpes": [
"cpe:/a:redhat:openshift_devspaces:3.29::el9"
],
"defaultStatus": "affected",
"product": "Red Hat OpenShift Dev Spaces 3.29",
"vendor": "Red Hat"
}
],
"datePublic": "2026-06-29T12:25:07.165Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in the vscode-java extension, which provides Java language support for Visual Studio Code. The extension incorrectly trusts all Markdown content in JavaDoc hovers, allowing a malicious Java file to include hidden commands. If a user clicks a specially crafted link within a JavaDoc hover popup, an attacker can execute arbitrary VS Code commands, which can lead to full system compromise in trusted workspaces."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-88",
"description": "Improper Neutralization of Argument Delimiters in a Command (\u0027Argument Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T12:09:59.699Z",
"orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
"shortName": "redhat-SADP"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-12856"
},
{
"name": "RHBZ#2491278",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2491278"
},
{
"tags": [
"x_sadp-csaf-vex"
],
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-12856.json"
},
{
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:36820"
}
],
"solutions": [
{
"lang": "en",
"value": "RHSA-2026:36820: Red Hat OpenShift Dev Spaces 3.29"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-20T17:33:27.000Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-06-29T12:25:07.165Z",
"value": "Made public."
}
],
"title": "vscode-java: vscode: Command Injection vulnerability in the JavaDoc hover provider of the vscode-java extension",
"workarounds": [
{
"lang": "en",
"value": "To mitigate this issue, users should avoid opening or interacting with untrusted Java projects or files within Red Hat OpenShift Dev Spaces. Exercise caution and refrain from clicking on unfamiliar links presented in JavaDoc hover popups, particularly when working with code from unverified sources. Disabling the `vscode-java` extension when not actively engaged in Java development can further reduce exposure, though this will impact Java-related functionality."
}
],
"x_adpType": "supplier",
"x_generator": {
"engine": "sadp-cli 1.0.0"
}
}
],
"cna": {
"affected": [
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:openshift_devspaces:3.29::el9"
],
"defaultStatus": "affected",
"packageName": "devspaces/pluginregistry-rhel9",
"product": "Red Hat OpenShift Dev Spaces 3.29",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "1782989367",
"versionType": "rpm"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Red Hat would like to thank byte256 for reporting this issue."
}
],
"datePublic": "2026-06-29T12:25:07.165Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in the vscode-java extension, which provides Java language support for Visual Studio Code. The extension incorrectly trusts all Markdown content in JavaDoc hovers, allowing a malicious Java file to include hidden commands. If a user clicks a specially crafted link within a JavaDoc hover popup, an attacker can execute arbitrary VS Code commands, which can lead to full system compromise in trusted workspaces."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-88",
"description": "Improper Neutralization of Argument Delimiters in a Command (\u0027Argument Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-08T17:15:08.952Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "RHSA-2026:36820",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:36820"
},
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-12856"
},
{
"name": "RHBZ#2491278",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2491278"
},
{
"url": "https://github.com/redhat-developer/vscode-java/security/advisories/GHSA-7qv8-6qrw-3crv"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-20T17:33:27.000Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-06-29T12:25:07.165Z",
"value": "Made public."
}
],
"title": "Vscode-java: vscode: command injection vulnerability in the javadoc hover provider of the vscode-java extension",
"workarounds": [
{
"lang": "en",
"value": "To mitigate this issue, users should avoid opening or interacting with untrusted Java projects or files within Red Hat OpenShift Dev Spaces. Exercise caution and refrain from clicking on unfamiliar links presented in JavaDoc hover popups, particularly when working with code from unverified sources. Disabling the `vscode-java` extension when not actively engaged in Java development can further reduce exposure, though this will impact Java-related functionality."
}
],
"x_generator": {
"engine": "cvelib 1.8.0"
},
"x_redhatCweChain": "CWE-88: Improper Neutralization of Argument Delimiters in a Command (\u0027Argument Injection\u0027)"
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2026-12856",
"datePublished": "2026-06-29T12:33:52.141Z",
"dateReserved": "2026-06-22T06:09:52.759Z",
"dateUpdated": "2026-07-09T12:09:59.699Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}