Unrated

Command Injection in vscode-java JavaDoc Hover Provider

IdentifiersCVE-2026-12856CWE-94

CVE-2026-12856 is a high-severity command injection vulnerability in the vscode-java extension for Visual Studio Code. The flaw is in the JavaDoc hover provider, which incorrectly trusts all Markdown content rendered in JavaDoc hover popups. A malicious Java source file can embed specially crafted JavaDoc content containing hidden command links. When a user opens the file and clicks a crafted link in the hover popup, the extension can invoke arbitrary VS Code commands. Because VS Code commands can trigger powerful extension and workspace actions, exploitation in a trusted workspace can result in full system compromise.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows an attacker to execute arbitrary VS Code commands in the victim's VS Code context. In trusted workspaces, this can expose or modify local files, invoke extension functionality, and potentially lead to full system compromise. The provided context indicates high confidentiality, integrity, and availability impact, with changed scope.

Mitigation

If you can’t patch tonight, do this now.

Until patched, avoid opening untrusted Java files in Visual Studio Code, especially in trusted workspaces. Review and harden VS Code workspace trust and extension security settings to reduce the impact of malicious content. Treat JavaDoc hover content from untrusted projects as potentially hostile and avoid clicking links presented in hover popups.

Remediation

Patch, then assume compromise.

Update the vscode-java extension to a fixed version that properly sanitizes or restricts Markdown content in JavaDoc hover rendering. Apply vendor-provided updates immediately wherever the extension is deployed, including environments such as Red Hat OpenShift Dev Spaces if they bundle or expose the affected functionality.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

ACTIVITY FEED

Recent activity

7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

7 SOURCESView more in app

cvefeed high severityNews

Jun 29, 2026

CVE-2026-12856 - Vscode-java: vscode: command injection vulnerability in the javadoc hover provider of the vscode-java extension

A command injection vulnerability in the JavaDoc hover provider of the vscode-java extension for Visual Studio Code, caused by trusting Markdown content in JavaDoc hovers and allowing execution of arbitrary VS Code commands via a crafted link.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity6

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-12856

NVD

nvd.nist.gov/vuln/detail/CVE-2026-12856

MITRE CWE · CWE-94

cwe.mitre.org