Critical Command Injection Flaw in Spring CLI VSCode Extension Risks Local System Compromise

What happened

A critical command injection flaw in the Spring CLI VSCode extension risks local system compromise for developers using outdated tool versions, tracked as CVE-2026-22718. The vulnerability exists in the Spring CLI extension for Visual Studio Code and allows attackers to execute arbitrary commands on a developer’s machine when the extension processes crafted input. Although the extension reached end-of-life in May 2025 and will not receive patches, it remains installed in some development environments, exposing systems to risk. Exploitation requires user interaction with the vulnerable extension, but once triggered it can run arbitrary local commands, potentially leading to further compromise of development assets or build systems. Spring CLI version 0.9.0 and earlier releases are affected, and developers are urged to remove the deprecated extension in favor of modern, supported tooling. 

Who is affected

Developers and build systems with the outdated Spring CLI VSCode extension installed face direct exposure to arbitrary command execution when interacting with crafted inputs; organizations using this toolchain could see downstream impacts on build integrity. 

Why CISOs should care

Toolchain vulnerabilities in development environments raise software supply chain risks, enabling threat actors to execute code locally and potentially infiltrate source repositories, CI/CD pipelines, or sensitive internal networks. 

3 practical actions

• Remove deprecated tooling: Uninstall the EOL Spring CLI VSCode extension from all developer systems.
• Review developer environments: Audit all IDE extensions and plugins for supported and secure alternatives.
• Educate developers: Communicate risks of using unsupported tools and enforce secure development standards.