Main Vulnerability Database Vulnerabilities #VU121272

#VU121272 Command Injection in Spring CLI VSCode Extension - CVE-2026-22718

Published: January 13, 2026

Vulnerability identifier: #VU121272

Vulnerability risk: High

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2026-22718

CWE-ID: CWE-77

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Spring CLI VSCode Extension

Software vendor:
Spring

Description

The vulnerability allows a remote attacker to execute arbitrary commands on the system.

The vulnerability exists due to insufficient input validation. A remote attacker can trick the victim into opening a specially crafted file and execute arbitrary commands.

Remediation

Software is no longer supported by the vendor and there will be no security patch. It is recommended to no longer use this extension.

External links

https://spring.io/security/cve-2026-22718

#VU121272 Command Injection in Spring CLI VSCode Extension - CVE-2026-22718

Description

Remediation

External links

Please verify you're human