Refine your search
1 vulnerability found for CLI VSCode Extension by Spring
CVE-2026-22718 (GCVE-0-2026-22718)
Vulnerability from cvelistv5
Published
2026-01-14 05:10
Modified
2026-01-14 14:19
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Summary
The VSCode extension for Spring CLI are vulnerable to command injection, resulting in command execution on the users machine.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Spring | CLI VSCode Extension |
Version: 0.9.0 and older |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-22718",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-14T14:18:27.679388Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-14T14:19:10.368Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "CLI VSCode Extension",
"vendor": "Spring",
"versions": [
{
"status": "affected",
"version": "0.9.0 and older"
}
]
}
],
"datePublic": "2026-01-13T05:09:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eThe VSCode extension for Spring CLI are vulnerable to command injection, resulting in command execution on the users machine.\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "The VSCode extension for Spring CLI are vulnerable to command injection, resulting in command execution on the users machine."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-14T05:10:58.485Z",
"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"shortName": "vmware"
},
"references": [
{
"url": "https://spring.io/security/cve-2026-22718"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Command injection vulnerability",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"assignerShortName": "vmware",
"cveId": "CVE-2026-22718",
"datePublished": "2026-01-14T05:10:58.485Z",
"dateReserved": "2026-01-09T06:54:36.841Z",
"dateUpdated": "2026-01-14T14:19:10.368Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}