Cyber Resilience

CVE-2026-12856

High

Published: 29 June 2026

Published
29 June 2026
Modified
30 June 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0030 21.4th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-12856 is a high-severity Argument Injection (CWE-88) vulnerability in Redhat (inferred from references). Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Command and Scripting Interpreter (T1059); ranked at the 21.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A flaw was found in the vscode-java extension, which provides Java language support for Visual Studio Code. The extension incorrectly trusts all Markdown content in JavaDoc hovers, allowing a malicious Java file to include hidden commands. If a user clicks…

more

a specially crafted link within a JavaDoc hover popup, an attacker can execute arbitrary VS Code commands, which can lead to full system compromise in trusted workspaces.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
Why these techniques?

Arbitrary VS Code command execution via crafted Markdown hover directly enables subsequent use of command/script interpreters for system compromise.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-3515Shared CWE-88
CVE-2026-22583Shared CWE-88
CVE-2026-42284Shared CWE-88
CVE-2026-44450Shared CWE-88
CVE-2026-53694Shared CWE-88
CVE-2026-41013Shared CWE-88
CVE-2026-44790Shared CWE-88
CVE-2025-21613Shared CWE-88
CVE-2025-3945Shared CWE-88
CVE-2022-31749Shared CWE-88

Affected Assets

Redhat
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References