CVE-2026-48027

Nx Console is the user interface for Nx & Lerna. On 19 May 2026, a malicious version of Nx Console, 18.95.0, was published at 12:30 PM UTC and removed soon after at 12:48 PM UTC, leaving it available for ~18 minutes in Visual Studio Marketplace. For OpenVSX, the problem was detected later, and the compromised version was available from 12:33 UTC to 13:09 UTC (~36 minutes). Version 18.100.0 of Nx Console is not compromised and users may remediate by upgrading to that version.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/nrwl/nx-console/issues/3139	Issue Tracking
https://github.com/nrwl/nx-console/security/advisories/GHSA-c9j4-9m59-847w	Mitigation Vendor Advisory
https://nx.dev/blog/nx-console-v18-95-0-postmortem#indicators-of-compromise	Vendor Advisory
https://www.stepsecurity.io/blog/nx-console-vs-code-extension-compromised	Exploit Third Party Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-48027	US Government Resource

Configurations

Configuration 1 (hide)

cpe:2.3:a:nx:nx_console:18.95.0:*:*:*:*:visual_studio_code:*:*

History

27 May 2026, 20:34

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 9.8
CPE		cpe:2.3:a:nx:nx_console:18.95.0:::::visual_studio_code::
First Time		Nx nx Console Nx
References	~~() https://github.com/nrwl/nx-console/issues/3139 -~~	() https://github.com/nrwl/nx-console/issues/3139 - Issue Tracking
References	~~() https://github.com/nrwl/nx-console/security/advisories/GHSA-c9j4-9m59-847w -~~	() https://github.com/nrwl/nx-console/security/advisories/GHSA-c9j4-9m59-847w - Mitigation, Vendor Advisory
References	~~() https://nx.dev/blog/nx-console-v18-95-0-postmortem#indicators-of-compromise -~~	() https://nx.dev/blog/nx-console-v18-95-0-postmortem#indicators-of-compromise - Vendor Advisory
References	~~() https://www.stepsecurity.io/blog/nx-console-vs-code-extension-compromised -~~	() https://www.stepsecurity.io/blog/nx-console-vs-code-extension-compromised - Exploit, Third Party Advisory
References	~~() https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-48027 -~~	() https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-48027 - US Government Resource

27 May 2026, 19:16

Type	Values Removed	Values Added
References		() https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-48027 -

27 May 2026, 17:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-05-27 17:16

Updated : 2026-05-27 20:34

NVD link : CVE-2026-48027

Mitre link : CVE-2026-48027

CVE.ORG link : CVE-2026-48027

JSON object : View

Products Affected

nx_console

CWE

CWE-506

Embedded Malicious Code

9.8 /10