Critical Vulnerability in vscode-java Extension Allows Arbitrary Command Execution
A critical vulnerability, CVE-2026-12856, with a CVSS score of 8.8, was found in the vscode-java extension for Visual Studio Code. This flaw allows a malicious Java file to include hidden commands that can be executed when a user clicks a specially crafted link in a JavaDoc hover popup, potentially leading to full system compromise in trusted workspaces. The vulnerability is currently not actively exploited but requires immediate attention due to its high severity and potential impact. Affected products include Red Hat OpenShift Dev Spaces. Users are advised to apply patches or updates as soon as possible.