CVE-2021-26700

HIGH

vscode-npm-script - Remote Code Execution

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2021-26700. PoCs published by jackadamson, jadamson08, june-in-exile.

AI-analyzed exploit summary This repository contains a functional proof-of-concept exploit for CVE-2021-26700, demonstrating remote code execution in the VSCode NPM extension by manipulating the `npm.bin` setting in `.vscode/settings.json` to execute arbitrary scripts when viewing a `package.json` file.

Description

Visual Studio Code npm-script Extension Remote Code Execution Vulnerability

Exploits (3)

nomisec WORKING POC 20 stars
by jackadamson · poc
https://github.com/jackadamson/CVE-2021-26700

This repository contains a functional proof-of-concept exploit for CVE-2021-26700, demonstrating remote code execution in the VSCode NPM extension by manipulating the `npm.bin` setting in `.vscode/settings.json` to execute arbitrary scripts when viewing a `package.json` file.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: eg2.vscode-npm-script (version 0.3.13 or earlier)
No auth needed
Prerequisites: Vulnerable VSCode extension installed · Target opens a malicious repository in VSCode
devstral-2 · analyzed Feb 18, 2026 Full analysis →
gitlab WORKING POC
by jadamson08 · poc
https://gitlab.com/jadamson08/CVE-2021-26700

This repository contains a functional proof-of-concept exploit for CVE-2021-26700, demonstrating remote code execution in the VSCode extension 'eg2.vscode-npm-script' by manipulating the 'npm.bin' setting in a malicious '.vscode/settings.json' file.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: eg2.vscode-npm-script (version 0.3.13 or earlier)
No auth needed
Prerequisites: Vulnerable VSCode extension installed · Target opens a malicious repository in VSCode · Target views the 'package.json' file
devstral-2 · analyzed Feb 23, 2026 Full analysis →
nomisec WORKING POC
by june-in-exile · poc
https://github.com/june-in-exile/CVE-2021-26700

This repository contains a functional exploit for CVE-2021-26700, a remote code execution vulnerability in the npm extension for Visual Studio Code. The exploit leverages a malicious script hidden in a GitHub repository that executes when a victim opens a crafted package.json file in VS Code with the vulnerable extension installed.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Visual Studio Code npm extension v0.3.13
No auth needed
Prerequisites: Victim must open a malicious repository in VS Code with the vulnerable npm extension installed · Attacker must host a malicious GitHub repository with crafted package.json and supporting files
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (1)

Core 1
Core References

Scores

CVSS v3 7.8
EPSS 0.1032
EPSS Percentile 93.4%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

Status published
Products (2)
microsoft/npm < 0.3.15
npm/vscode-npm-script 0.0.0npm
Published Feb 25, 2021
Tracked Since Feb 18, 2026