Lucene search
K

366 matches found

NVD
NVD
added 5 days ago9 views

CVE-2026-12856

A flaw was found in the vscode-java extension, which provides Java language support for Visual Studio Code. The extension incorrectly trusts all Markdown content in JavaDoc hovers, allowing a malicious Java file to include hidden commands. If a user clicks a specially crafted link within a JavaDo...

8.8CVSS0.00297EPSS
Exploits0References4
CVE
CVE
added 5 days ago16 views

CVE-2026-12856

The CVE-2026-12856 entry concerns the vscode-java extension for Visual Studio Code. The vulnerability arises because the extension trusts all Markdown content in JavaDoc hovers, enabling a malicious Java file to include hidden commands. When a user clicks a specially crafted link in a JavaDoc hov...

8.8CVSS6.1AI score0.00297EPSS
Exploits0References4
Vulnrichment
Vulnrichment
added 5 days ago9 views

CVE-2026-12856 Vscode-java: vscode: command injection vulnerability in the javadoc hover provider of the vscode-java extension

A flaw was found in the vscode-java extension, which provides Java language support for Visual Studio Code. The extension incorrectly trusts all Markdown content in JavaDoc hovers, allowing a malicious Java file to include hidden commands. If a user clicks a specially crafted link within a JavaDo...

8.8CVSS6.1AI score0.00297EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 5 days ago7 views

CVE-2026-12856

A flaw was found in the vscode-java extension, which provides Java language support for Visual Studio Code. The extension incorrectly trusts all Markdown content in JavaDoc hovers, allowing a malicious Java file to include hidden commands. If a user clicks a specially crafted link within a JavaDo...

8.8CVSS6.1AI score0.00297EPSS
Exploits0References4
Cvelist
Cvelist
added 5 days ago34 views

CVE-2026-12856 Vscode-java: vscode: command injection vulnerability in the javadoc hover provider of the vscode-java extension

A flaw was found in the vscode-java extension, which provides Java language support for Visual Studio Code. The extension incorrectly trusts all Markdown content in JavaDoc hovers, allowing a malicious Java file to include hidden commands. If a user clicks a specially crafted link within a JavaDo...

8.8CVSS0.00297EPSS
Exploits0References3
RedhatCVE
RedhatCVE
added 5 days ago6 views

CVE-2026-12856

A flaw was found in the vscode-java extension, which provides Java language support for Visual Studio Code. The extension incorrectly trusts all Markdown content in JavaDoc hovers, allowing a malicious Java file to include hidden commands. If a user clicks a specially crafted link within a JavaDo...

8.8CVSS6.1AI score0.00297EPSS
Exploits0References4
OSV
OSV
added 2026/06/22 10:38 p.m.7 views

MAL-2026-6274 Malicious code in web3-token-helper (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 0c826bf782895b60580b94e3a28a2c4562d3742420ce81e9895ad8568da57890 The package advertises itself as a Web3 fee utility but its main export is a dropper. index.js line 140 base64-decodes a platform-specific command...

5.8AI score
Exploits0References6
Cvelist
Cvelist
added 2026/06/22 3:16 p.m.32 views

CVE-2026-49241 Angular: Multiple Remote Code Execution Vulnerabilities in Angular Language Service VS Code Extension

The Angular Language Service VS Code Extension provides a rich editing experience for Angular templates. Prior to 21.2.4, the client-side Angular Language Service VS Code extension reads the custom TypeScript SDK paths typescript.tsdk and js/ts.tsdk.path directly from workspace configurations...

8.7CVSS0.00154EPSS
Exploits0References3
RedhatCVE
RedhatCVE
added 2026/06/05 7:19 p.m.8 views

CVE-2026-10591

Insufficient access control restrictions in the file write tool in Amazon Kiro IDE before version 0.11 might allow remote unauthenticated actors to execute arbitrary commands via crafted instructions that cause writes to execution-sensitive paths such as .vscode/tasks.json, enabling auto-executio...

8.8CVSS5.9AI score0.00373EPSS
Exploits0References1
Github Security Blog
Github Security Blog
added 2026/05/20 9:7 p.m.38 views

Investigation update: GitHub Enterprise Server signing key rotation

May 26, 2026 : GitHub recently detected a cyber-attack and immediately activated our response process to investigate, disrupt malicious activity, mitigate the attack, and deny the threat actor further access. It's important to note that this investigation is still ongoing, and we will continue to...

5.8AI score
Exploits0
Securelist
Securelist
added 2026/05/14 11:0 a.m.13 views

Kimsuky targets organizations with PebbleDash-based tools

Over the past few months, we have conducted an in-depth analysis of specific activity clusters of Kimsuky aka APT43, Ruby Sleet, Black Banshee, Sparkling Pisces, Velvet Chollima, and Springtail, a prolific Korean-speaking threat actor. Our research revealed notable tactical shifts throughout...

6.2AI score
Exploits0
The Hacker News
The Hacker News
added 2026/05/12 11:46 a.m.23 views

Mini Shai-Hulud Worm Compromises TanStack, Mistral AI, Guardrails AI & More Packages

TeamPCP , the threat actor behind the recentsupply chain attack spree, has been linked to the compromise of the npm and PyPI packages from TanStack, UiPath, Mistral AI, OpenSearch, and Guardrails AI as part of a fresh Mini Shai-Hulud campaign. The affected npm packages have been modified to inclu...

9.6CVSS6AI score0.02342EPSS
Exploits3
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/04/27 9:21 p.m.11 views

Malicious code in mypypipkg (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 a94a9bbd6a292f754fedd6ae737eaf5259925cf382a610c9d63e9d210a3f3677 When running as a module, the package starts a VSCode tunnel and exfiltrates the connection link to the hardcoded target. This lets the attacker connect the...

5.5AI score
Exploits0References1
OSV
OSV
added 2026/04/27 9:21 p.m.12 views

MAL-2026-3105 Malicious code in mypypipkg (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 a94a9bbd6a292f754fedd6ae737eaf5259925cf382a610c9d63e9d210a3f3677 When running as a module, the package starts a VSCode tunnel and exfiltrates the connection link to the hardcoded target. This lets the attacker connect the...

5.6AI score
Exploits0References1
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/04/16 9:58 a.m.6 views

Malicious code in gemini-cli-vscode-ide-companion (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 6a98d87fa5f23a47c4b1ea2c0cecb3e88518985493c1b7f125299ecf8ee6dba1 The package gemini-cli-vscode-ide-companion was found to contain malicious code...

5.7AI score
Exploits0
OSV
OSV
added 2026/04/16 9:58 a.m.6 views

MAL-2026-2764 Malicious code in gemini-cli-vscode-ide-companion (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 6a98d87fa5f23a47c4b1ea2c0cecb3e88518985493c1b7f125299ecf8ee6dba1 The package gemini-cli-vscode-ide-companion was found to contain malicious code...

5.7AI score
Exploits0
RedhatCVE
RedhatCVE
added 2026/04/01 5:0 a.m.5 views

CVE-2026-34060

Ruby LSP is an implementation of the language server protocol for Ruby. Prior to Shopify.ruby-lsp version 0.10.2 and ruby-lsp version 0.26.9, the rubyLsp.branch VS Code workspace setting was interpolated without sanitization into a generated Gemfile, allowing arbitrary Ruby code execution when a...

9.8CVSS6.3AI score0.00479EPSS
Exploits0References1
Tenable Nessus
Tenable Nessus
added 2026/04/01 12:0 a.m.6 views

Linux Distros Unpatched Vulnerability : CVE-2026-34060

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Ruby LSP is an implementation of the language server protocol for Ruby. Prior to Shopify.ruby-lsp version 0.10.2 and ruby-lsp version 0.26.9, the rubyLsp.branch...

9.8CVSS6.3AI score0.00479EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/03/31 1:59 a.m.3 views

CVE-2026-34060

Ruby LSP is an implementation of the language server protocol for Ruby. Prior to Shopify.ruby-lsp version 0.10.2 and ruby-lsp version 0.26.9, the rubyLsp.branch VS Code workspace setting was interpolated without sanitization into a generated Gemfile, allowing arbitrary Ruby code execution when a...

7.1CVSS6.3AI score0.00479EPSS
Exploits0References3Affected Software2
Positive Technologies
Positive Technologies
added 2026/03/27 12:0 a.m.7 views

PT-2026-28598

Name of the Vulnerable Software and Affected Versions ruby-lsp versions prior to 0.10.2 ruby-lsp gem versions prior to 0.26.9 Description The rubyLsp.branch VS Code workspace setting was used in generating a Gemfile without proper sanitization, potentially allowing arbitrary Ruby code execution...

9.8CVSS6.4AI score0.00479EPSS
Exploits0References15
Rows per page
Query Builder