Java Language Support Flaw in Visual Studio Code Extension by Red Hat
CVE-2026-12856

8.8HIGH

Key Information:

Vendor: Red Hat
Status: Red Hat Openshift Dev Spaces
Vendor: CVE Published:; 29 June 2026

What is CVE-2026-12856?

A vulnerability has been identified in the vscode-java extension for Visual Studio Code that compromises the trust model for Markdown content in JavaDoc hovers. This flaw allows malicious Java files to embed concealed commands. If an unsuspecting user interacts with a specially crafted link in a JavaDoc hover popup, it could result in the execution of arbitrary commands in Visual Studio Code, posing a significant risk of full system compromise, particularly in secure environments.