—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA256

Remote Code Execution Vulnerability in Nx Console

Indian – Computer Emergency Response Team (https://www.cert-in.org.in)

Severity Rating: CRITICAL

Software Affected

Nx Console version 18.95.0

Overview

A vulnerability has been reported in Nx Console which may allow an attacker to execute arbitrary code, steal sensitive information and gain unauthorized access to targeted systems.

Target Audience:

All organizations, developers, system administrators, and enterprises using Nx Console in Visual Studio Code or OpenVSX environments.

Risk Assessment:

High risk of remote code execution and compromise of development environments.

Impact Assessment:

Potential for full system compromise, theft of developer credentials, unauthorized execution of malicious code, and exposure of sensitive data.

Description

Nx Console is a user interface extension for Nx and Lerna used within development environments such as Visual Studio Code and OpenVSX.

The vulnerability exists in Nx Console due to embedded malicious code in affected version. A malicious version of Nx Console (version 18.95.0) was published to the Visual Studio Marketplace and OpenVSX repositories.

Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code, steal sensitive information and gain unauthorized access to targeted systems.

Solution

Apply appropriate updates as mentioned:

https://github.com/nrwl/nx-console/security/advisories/GHSA-c9j4-9m59-847w

Vendor Information

Nx Console

https://nx.dev/blog/nx-console-v18-95-0-postmortem#indicators-of-compromise

References

Nx Console

https://github.com/nrwl/nx-console/security/advisories/GHSA-c9j4-9m59-847w

https://nx.dev/blog/nx-console-v18-95-0-postmortem#indicators-of-compromise

CVE Name

CVE-2026-48027

– —

Thanks and Regards,

CERT-In

Incident Response Help Desk

e-mail: incident@cert-in.org.in

Phone: +91-11-22902657

Toll Free Number: 1800-11-4949

Toll Free Fax : 1800-11-6969

Web: http://www.cert-in.org.in

PGP Fingerprint: A768 083E 4475 5725 B81A A379 2156 C0C0 B620 D0B4

PGP Key information:

https://www.cert-in.org.in/s2cMainServlet?pageid=CONTACTUS

Postal address:

Indian Computer Emergency Response Team (CERT-In)

Ministry of Electronics and Information Technology

Government of India

Electronics Niketan

6, C.G.O. Complex

New Delhi-110 003

—–BEGIN PGP SIGNATURE—–

iQIzBAEBCAAdFiEE6r4Iam/Ey0c/KakL3jCgcSdcys8FAmogM84ACgkQ3jCgcSdc

ys+I2w/6AzKlU+kfElgKoArLCAW5ZMcSi2qjf1fzvZ/4mQdAfbzMytcpZ8TpLRlO

WND+P+vyzitzy7DgxAuvJBR2I4cf44U3F2EmLn1mHEIUngZ602a3DyUm7ecnKV6A

D0YPmbRVdJTogwUSnb+QkpzFQ03ouMRq8On9Bih78uiS1TAjF1HD5+EeHmlaG20M

OOq3lsnwG+m7NfCHhk5typcBV8POSMYWsOMDcCWs/PWmYkNhVCy2Wrbj60hPEHtO

TMWYzvgwPdfNruurkMn69Lo5E1lJ5gF8IBtGo46kKXnQHQykzmhWsD5vsTLutjhE

b/j47UoYiWg617KapLUTiwE6w0jgfT+yDg7s+VUolhjHQHnlFQdm90TPBTrijE12

vzaj1GSNQr/SHY/VElIyPWlRb6UtbqxLejMtGk8UHsvfKWAklh8xSDrZhniwHCyV

cblA8NHLUnvbJgKkOh3lv0eDVY9mgV6syFReQocehLRnuDFdfIssQs3oAYWXb1OE

0kkKTmqzhygAYAUXK8GhyrqK/5yDQnUIvLTNev/w/ixQQ4VJvJg6wKd10WpBDzL7

33U38sODbiXfbSrk7XUEwzdnsiS0js4uUxyiKqEM9z13xx8iv/bpM/1OZu1Ishik

CfhQnrwM1p/3G7HjFJHAeL8KGSb9o4hP8KwaATZ1efK9kw7xMyU=

=Xw+H

—–END PGP SIGNATURE—–