CVE-2026-48027 - Vulnerability Details

Nx Console is the user interface for Nx & Lerna. On 19 May 2026, a malicious version of Nx Console, 18.95.0, was published at 12:30 PM UTC and removed soon after at 12:48 PM UTC, leaving it available for ~18 minutes in Visual Studio Marketplace. For OpenVSX, the problem was detected later, and the compromised version was available from 12:33 UTC to 13:09 UTC (~36 minutes). Version 18.100.0 of Nx Console is not compromised and users may remediate by upgrading to that version.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is in the KEV database since today.

No EPSS score available.

Key SSVC decision points have not yet been added.

No data.

References

Link	Providers
https://github.com/nrwl/nx-console/issues/3139
https://github.com/nrwl/nx-console/security/advisories/GHSA-c9j4-9m59-847w
https://nx.dev/blog/nx-console-v18-95-0-postmortem#indicators-of-compromise
https://www.stepsecurity.io/blog/nx-console-vs-code-extension-compromised

History

Wed, 27 May 2026 17:45:00 +0000

Type	Values Removed	Values Added
Metrics		kev `{'dateAdded': '2026-05-27T00:00:00+00:00', 'dueDate': '2026-06-10T00:00:00+00:00'}`

Wed, 27 May 2026 16:30:00 +0000

Type	Values Removed	Values Added
Description		Nx Console is the user interface for Nx & Lerna. On 19 May 2026, a malicious version of Nx Console, 18.95.0, was published at 12:30 PM UTC and removed soon after at 12:48 PM UTC, leaving it available for ~18 minutes in Visual Studio Marketplace. For OpenVSX, the problem was detected later, and the compromised version was available from 12:33 UTC to 13:09 UTC (~36 minutes). Version 18.100.0 of Nx Console is not compromised and users may remediate by upgrading to that version.
Title		Compromised Nx Console version 18.95.0
Weaknesses		CWE-506
References		https://github.com/nrwl/nx-console/issues/3139 https://github.com/nrwl/nx-console/security/advisories/GHSA-c9j4-9m59-847w https://nx.dev/blog/nx-console-v18-95-0-postmortem#indicators-of-compromise https://www.stepsecurity.io/blog/nx-console-vs-code-extension-compromised
Metrics		cvssV4_0 `{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-05-27T15:50:01.143Z

Updated: 2026-05-27T15:50:01.143Z

Reserved: 2026-05-20T17:44:09.587Z

Link: CVE-2026-48027

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-27T17:16:41.787

Modified: 2026-05-27T17:16:41.787

Link: CVE-2026-48027

Redhat

No data.

OpenCVE Enrichment

No data.

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object

JSON object