<Vulnerability name="CVE-2026-12856">
    <DocumentDistribution xml:lang="en">Copyright © 2012 Red Hat, Inc. All rights reserved.</DocumentDistribution>
    <ThreatSeverity>Important</ThreatSeverity>
    <PublicDate>2026-06-29T12:25:07</PublicDate>
    <Bugzilla id="2491278" url="https://bugzilla.redhat.com/show_bug.cgi?id=2491278" xml:lang="en:us">
vscode-java: vscode: Command Injection vulnerability in the JavaDoc hover provider of the vscode-java extension
    </Bugzilla>
    <CVSS3 status="verified">
        <CVSS3BaseScore>8.8</CVSS3BaseScore>
        <CVSS3ScoringVector>CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H</CVSS3ScoringVector>
    </CVSS3>
    <CWE>CWE-88</CWE>
    <Details xml:lang="en:us" source="Mitre">
A flaw was found in the vscode-java extension, which provides Java language support for Visual Studio Code. The extension incorrectly trusts all Markdown content in JavaDoc hovers, allowing a malicious Java file to include hidden commands. If a user clicks a specially crafted link within a JavaDoc hover popup, an attacker can execute arbitrary VS Code commands, which can lead to full system compromise in trusted workspaces.
    </Details>
    <Details xml:lang="en:us" source="Red Hat">
A flaw was found in the vscode-java extension, which provides Java language support for Visual Studio Code. The extension incorrectly trusts all Markdown content in JavaDoc hovers, allowing a malicious Java file to include hidden commands. If a user clicks a specially crafted link within a JavaDoc hover popup, an attacker can execute arbitrary VS Code commands, which can lead to full system compromise in trusted workspaces.
    </Details>
    <Statement xml:lang="en:us">
The Red Hat Product Security team has assessed the severity of this vulnerability as Important, given that it requires a user to open a malicious Java source file and interact with a hover popup. Successful exploitation allows an attacker to execute arbitrary commands within the context of the VS Code editor and potentially the underlying operating system. The vulnerability's root cause is the over-trusting of Markdown content returned by the Java language server, which fails to isolate extension-generated trusted links from attacker-controlled JavaDoc content.
    </Statement>
    <Acknowledgement xml:lang="en:us">
Red Hat would like to thank byte256 for reporting this issue.
    </Acknowledgement>
    <Mitigation xml:lang="en:us">
To mitigate this issue, users should avoid opening or interacting with untrusted Java projects or files within Red Hat OpenShift Dev Spaces. Exercise caution and refrain from clicking on unfamiliar links presented in JavaDoc hover popups, particularly when working with code from unverified sources. Disabling the `vscode-java` extension when not actively engaged in Java development can further reduce exposure, though this will impact Java-related functionality.
    </Mitigation>
    <AffectedRelease cpe="cpe:/a:redhat:openshift_devspaces:3.29::el9">
        <ProductName>Red Hat OpenShift Dev Spaces 3.29</ProductName>
        <ReleaseDate>2026-07-08T00:00:00Z</ReleaseDate>
        <Advisory type="RHSA" url="https://access.redhat.com/errata/RHSA-2026:36820">RHSA-2026:36820</Advisory>
        <Package name="devspaces/pluginregistry-rhel9">devspaces/pluginregistry-rhel9:1782989367</Package>
    </AffectedRelease>
    <References xml:lang="en:us">
https://www.cve.org/CVERecord?id=CVE-2026-12856
https://nvd.nist.gov/vuln/detail/CVE-2026-12856
https://github.com/redhat-developer/vscode-java/security/advisories/GHSA-7qv8-6qrw-3crv
    </References>
</Vulnerability>