PT-2026-41314 · Microsoft · Turborepo Lsp Vs Code Extension

Published

2026-05-15

·

Updated

2026-05-15

·

CVE-2026-46508

CVSS v4.0

8.4

High

VectorAV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Name of the Vulnerable Software and Affected Versions Turborepo LSP VS Code extension versions prior to 2.9.14000
Description The Turborepo LSP VS Code extension allows arbitrary command execution with the privileges of the local VS Code process. This occurs because the extension uses string-based command execution for Turborepo daemon commands and task runs. A malicious workspace can provide crafted values through workspace settings or task names in the repository source code that are interpolated into shell commands. These values are interpreted by the user's shell when the extension activates or when a user runs a task through the extension.
Recommendations Update to version 2.9.14000.

Fix

Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-46508

Affected Products

Turborepo Lsp Vs Code Extension