CVE-2026-22718: EOL Spring CLI Tool for VS Code Found Vulnerable to Command Injection
Ddos 
Developers using the Spring CLI extension for Visual Studio Code are being urged to clean up their environments immediately. A new vulnerability, tracked as CVE-2026-22718, has been discovered in the now-defunct extension, allowing malicious actors to execute arbitrary commands on a user’s machine.
The vulnerability, rated with a CVSS score of 6.6, is a Command Injection flaw. This type of bug typically allows an attacker to manipulate input in a way that forces the application to run system-level commands that it wasn’t intended to.
For a developer tool like a VS Code extension, this is particularly concerning. It implies that simply using the extensionβperhaps by opening a malicious project or interacting with a crafted fileβcould allow an attacker to run code on the developer’s laptop with the same privileges as the user.
The advisory acknowledges a communication gap regarding the tool’s retirement. “The extension reached EOL on May 14, 2025, but upon receiving the CVE we realized that we could have done a better job communicating the EOL,” the advisory states.
“For this reason and out of an abundance of caution, a CVE has been created for the extension despite being EOL.”
The vulnerability affects Spring CLI VSCode Extension version 0.9.0 and older. Since the product is unsupported, there will be no patch.
“Users of the extension should remove it from their coding environments,” the advisory warns. With no fix coming, the only way to secure the development environment is to uninstall the extension entirely.
The flaw was responsibly reported by security researcher Yue Liu, who identified the risk in the legacy code. Developers are reminded to regularly audit their installed extensions and remove any that are no longer maintained or supported.
Related Posts:
- The Exit Strategy: Microsoft Finally Grants Admins a Way to Uninstall Copilot
- Google Cloud Unveils Gemini CLI: Free AI Assistant Brings Gemini 2.5 Pro to Your Terminal
- Malicious VS Code Extension Masquerades as Zoom to Steal Chrome Cookies
- A Dangerous Loophole in the VS Code Marketplace Is Allowing Malicious Extensions
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
