{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22718", "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "state": "PUBLISHED", "assignerShortName": "vmware", "dateReserved": "2026-01-09T06:54:36.841Z", "datePublished": "2026-01-14T05:10:58.485Z", "dateUpdated": "2026-01-14T14:19:10.368Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "CLI VSCode Extension", "vendor": "Spring", "versions": [{"status": "affected", "version": "0.9.0 and older"}]}], "datePublic": "2026-01-13T05:09:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">The VSCode extension for Spring CLI are vulnerable to command injection, resulting in command execution on the users machine.</span><br>"}], "value": "The VSCode extension for Spring CLI are vulnerable to command injection, resulting in command execution on the users machine."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-78", "description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "shortName": "vmware", "dateUpdated": "2026-01-14T05:10:58.485Z"}, "references": [{"url": "https://spring.io/security/cve-2026-22718"}], "source": {"discovery": "UNKNOWN"}, "title": "Command injection vulnerability", "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-14T14:18:27.679388Z", "id": "CVE-2026-22718", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-14T14:19:10.368Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-22718", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-14T14:18:27.679388Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-14T14:18:59.979Z"}}], "cna": {"title": "Command injection vulnerability", "source": {"discovery": "UNKNOWN"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.8, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Spring", "product": "CLI VSCode Extension", "versions": [{"status": "affected", "version": "0.9.0 and older"}], "defaultStatus": "unaffected"}], "datePublic": "2026-01-13T05:09:00.000Z", "references": [{"url": "https://spring.io/security/cve-2026-22718"}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "The VSCode extension for Spring CLI are vulnerable to command injection, resulting in command execution on the users machine.", "supportingMedia": [{"type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">The VSCode extension for Spring CLI are vulnerable to command injection, resulting in command execution on the users machine.</span><br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-78", "description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"}]}], "providerMetadata": {"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "shortName": "vmware", "dateUpdated": "2026-01-14T05:10:58.485Z"}}}, "cveMetadata": {"cveId": "CVE-2026-22718", "state": "PUBLISHED", "dateUpdated": "2026-01-14T14:19:10.368Z", "dateReserved": "2026-01-09T06:54:36.841Z", "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "datePublished": "2026-01-14T05:10:58.485Z", "assignerShortName": "vmware"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The VSCode extension for Spring CLI are vulnerable to command injection, resulting in command execution on the users machine."}, {"lang": "es", "value": "La extensi\u00f3n de VSCode para Spring CLI es vulnerable a inyecci\u00f3n de comandos, resultando en la ejecuci\u00f3n de comandos en la m\u00e1quina del usuario."}], "id": "CVE-2026-22718", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 1.3, "impactScore": 5.5, "source": "security@vmware.com", "type": "Secondary"}]}, "published": "2026-01-14T05:16:34.570", "references": [{"source": "security@vmware.com", "url": "https://spring.io/security/cve-2026-22718"}], "sourceIdentifier": "security@vmware.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "security@vmware.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T16:19:13.764819+00:00", "value": {"mitigation_remediation": ["Update the Spring CLI VSCode Extension to the latest patched release from spring.io or the Visual Studio Code Marketplace.", "If a patch is not yet available, uninstall or disable the extension for users who do not require Spring CLI functionality.", "Enable VSCode\u2019s Workspace Trust setting to prevent extensions from running in untrusted directories and enforce least privilege for users.", "Verify that the extension properly validates or escapes any input passed to system commands to mitigate similar injection issues in the future."], "summary": {"action": "Apply Patch", "impact": "Command Execution"}, "threat_synthesis": {"affected_systems": "The Spring CLI VSCode Extension for Visual Studio Code is vulnerable. No specific affected versions are listed in the advisory.", "description_and_impact": "The vulnerability is a command injection flaw in the Spring CLI VSCode Extension. An attacker can cause the extension to run arbitrary shell commands on the host system, potentially compromising confidentiality, integrity, and availability of the machine.", "risk_and_exploitability": "The CVSS score of 6.8 indicates moderate severity. The EPSS score is below 1\u202f%, implying a low likelihood of exploitation in the wild. Based on the description, the likely attack vector is local and requires the extension to be installed; an adversary would typically need user interaction or local privileges to trigger the injection. The vulnerability is not in the CISA KEV catalog, so no publicly known exploitation has been reported."}}}}, "created": "2026-01-14T10:48:30.048487+00:00", "updated": "2026-04-18T16:30:05.075538+00:00", "vendors": ["spring", "spring$PRODUCT$cli_vscode_extension"]}