The flaw, tracked as CVE-2026-22718, enables attackers to execute arbitrary commands on affected machines, resulting in a medium-severity impact.
The vulnerability affects Spring CLI VSCode Extension version 0.9.0 and earlier. Despite reaching end-of-life on May 14, 2025, the Spring team disclosed the CVE to ensure proper security communication with users who may still have the extension installed.
The command injection flaw operates locally and requires user interaction to trigger exploitation.
| CVE ID | Product | CVSS Score | Attack Vector |
|---|---|---|---|
| CVE-2026-22718 | Spring CLI VSCode Extension | 6.3 | Local (AV:L) |
An attacker with local access could manipulate the extension’s input handling to inject malicious commands, ultimately gaining execution privileges on the developer’s machine.
The vulnerability received a CVSS score of 6.3 (Medium), reflecting its local attack vector and user interaction requirement.
However, the potential impact remains significant, as successful exploitation enables attackers to read sensitive files and modify system configurations. Compromise development environments that store source code and credentials.
All versions of Spring CLI VSCode Extension up to 0.9.0 remain vulnerable. Since the extension officially reached EOL in May 2025, no patches have been released or will be provided.
Developers currently relying on Spring CLI functionality should transition to alternative tools. Use updated Spring development methods that do not depend on the legacy extension.
Organizations and individual developers who have the Spring CLI VSCode extension installed should prioritize removing it. The vulnerability disclosure underscores the importance of deprecating legacy development tools.
Maintaining clear communication about security risks associated with end-of-life software. Continued use of the extension exposes development systems to potential compromise.
The Spring team recommends removing the extension from development environments immediately. Users should uninstall the extension from VS Code’s extension marketplace or manually delete the extension folder.
The issue was responsibly disclosed by security researcher Yue Liu, allowing the Spring team sufficient time to assess and communicate the risk before public disclosure.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post Spring CLI Tool Vulnerability Enables Command Execution on the Users Machine appeared first on Cyber Security News.
Xbox seems to have rebranded…to XBOX. You'd be forgiven for not noticing the difference, but…
Upcoming action movie prequel John Rambo has reportedly added James Franco to its cast. Details…
In the Grey is now playing in theaters. Jake Gyllenhaal and Henry Cavill met in…
At SIM 2026 in Porto, João Rui Ferreira, Secretary of State for the Economy, announced the…
This website uses cookies.