Spring Security Advisories

RSS feed

CVE-2026-22718: Command injection on user machine using VSCode extension for Spring CLI

MEDIUM | JANUARY 13, 2026 | CVE-2026-22718

Description

The following versions of the VSCode extension for Spring CLI are vulnerable to command injection, resulting in command execution on the users machine. The extension reached EOL on May 14, 2025, but upon receiving the CVE we realized that we could have done a better job communicating the EOL. For this reason and out of an abundance of caution, a CVE has been created for the extension despite being EOL.

Affected Spring Products and Versions

Spring CLI VSCode Extension:

  • 0.9.0 and older - all unsupported

Mitigation

Due to the extension reached EOL on May 14, 2025, users of the extension should remove it from their coding environments.

Credit

The issue was reported responsibly by Yue Liu - https://yueyuel.github.io/

References

https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L/E:F/RL:X/RC:X&version=3.1

Reporting a vulnerability

To report a security vulnerability for a project within the Spring portfolio, see the Security Policy

Get ahead

VMware offers training and certification to turbo-charge your progress.

Learn more

Get support

Tanzu Spring offers support and binaries for OpenJDK™, Spring, and Apache Tomcat® in one simple subscription.

Learn more

Upcoming events

Check out all the upcoming events in the Spring community.

View all