Is CVE-2026-12856 being exploited?

No public exploit is currently tracked.

How severe is CVE-2026-12856?

CVE-2026-12856 has a CVSS v3 severity of HIGH (8.8).

Back

CVE-2026-12856

Description

A flaw was found in the vscode-java extension, which provides Java language support for Visual Studio Code. The extension incorrectly trusts all Markdown content in JavaDoc hovers, allowing a malicious Java file to include hidden commands. If a user clicks a specially crafted link within a JavaDoc hover popup, an attacker can execute arbitrary VS Code commands, which can lead to full system compromise in trusted workspaces.