PT-2026-41314 · Microsoft · Turborepo Lsp Vs Code Extension
Published
2026-05-15
·
Updated
2026-05-15
·
CVE-2026-46508
CVSS v4.0
8.4
High
| Vector | AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
Turborepo LSP VS Code extension versions prior to 2.9.14000
Description
The Turborepo LSP VS Code extension allows arbitrary command execution with the privileges of the local VS Code process. This occurs because the extension uses string-based command execution for Turborepo daemon commands and task runs. A malicious workspace can provide crafted values through workspace settings or task names in the repository source code that are interpolated into shell commands. These values are interpreted by the user's shell when the extension activates or when a user runs a task through the extension.
Recommendations
Update to version 2.9.14000.
Fix
Command Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Turborepo Lsp Vs Code Extension