CVE-2026-48027 - PatchNow

📋 Vulnerability Details

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: USER_INTERACTION

CVE Published: 2026-05-27

Added to CISA KEV: 2026-05-27 0 DAY BETWEEN CVE AND KEV

🎯 Recommendations:

CRITICAL: Check for indicators of compromise - this vulnerability is in CISA KEV indicating active exploitation in the wild. Review logs, check for unauthorized access, verify system integrity on developer workstations
Immediately audit all developer machines for Nx Console version 18.95.0 and upgrade to version 18.100.0 or later
Review developer workstation logs for suspicious activity during the compromise window (May 19, 2026 12:30-13:09 UTC)
Implement extension vetting processes and consider enterprise extension management policies
Monitor for data exfiltration from compromised developer environments
HIGH priority for developer environment security, but not infrastructure patching priority

🔍 Web Intelligence (Kagi · 2026-05-28)

CVE-2026-48027 is a critical vulnerability involving embedded malicious code within the Nx Console extension for Visual Studio Code ^[1]. It was officially added to the CISA Known Exploited Vulnerabilities (KEV) Catalog on May 27, 2026, due to evidence of active exploitation in the wild ^[2] ^[4].

Key Details

Feature	Status/Description
CISA KEV Status	Included (Added May 27, 2026) ^[2]
Active Exploitation	Yes, confirmed in the wild ^[2]
Affected Software	Nx Console extension for Visual Studio Code (specifically version 18.95.0) ^[1]
Internet-Facing	No (Client-side/Developer environment) ^[1]

Exploitation and Technical Details

Attack Vector: The vulnerability is not an internet-facing service exploit in the traditional sense. Instead, it relies on developers installing or updating to the compromised version (18.95.0) of the Nx Console extension ^[1].
Exploitation Method: Once installed, the malicious extension executes arbitrary code with the same permissions as the Visual Studio Code process ^[1]. This allows attackers to potentially access sensitive information on the developer's machine, including source code, credentials, and environment variables ^[1].
Targeted Attacks: While the vulnerability is confirmed to be exploited in the wild, it is primarily categorized as a supply chain-style compromise affecting developer environments rather than a direct attack on internet-facing infrastructure ^[1]. Proof-of-concept material has been identified in security research contexts ^[1].

Organizations and individual developers are advised to review the official security advisory from the Nx Console project for remediation steps and to ensure they are not running the compromised version ^[3].

Sources