{"id":"CVE-2026-48027","summary":"Compromised Nx Console version 18.95.0","details":"Nx Console is the user interface for Nx & Lerna. On 19 May 2026, a malicious version of Nx Console, 18.95.0, was published at 12:30 PM UTC and removed soon after at 12:48 PM UTC, leaving it available for ~18 minutes in Visual Studio Marketplace. For OpenVSX, the problem was detected later, and the compromised version was available from 12:33 UTC to 13:09 UTC (~36 minutes). Version 18.100.0 of Nx Console is not compromised and users may remediate by upgrading to that version.","aliases":["GHSA-c9j4-9m59-847w"],"modified":"2026-07-08T08:05:51.471091947Z","published":"2026-05-27T15:50:01.143Z","database_specific":{"cwe_ids":["CWE-506"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/48xxx/CVE-2026-48027.json","cna_assigner":"GitHub_M"},"references":[{"type":"WEB","url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-48027"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/48xxx/CVE-2026-48027.json"},{"type":"ADVISORY","url":"https://github.com/nrwl/nx-console/security/advisories/GHSA-c9j4-9m59-847w"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-48027"},{"type":"REPORT","url":"https://github.com/nrwl/nx-console/issues/3139"},{"type":"ARTICLE","url":"https://nx.dev/blog/nx-console-v18-95-0-postmortem#indicators-of-compromise"},{"type":"ARTICLE","url":"https://www.stepsecurity.io/blog/nx-console-vs-code-extension-compromised"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/nrwl/nx-console","events":[{"introduced":"f8c95098e6ac7a0e3c81ceb11a89f9c608beccdc"},{"last_affected":"f8c95098e6ac7a0e3c81ceb11a89f9c608beccdc"}],"database_specific":{"cpe":"cpe:2.3:a:nx:nx_console:18.95.0:*:*:*:*:visual_studio_code:*:*","extracted_events":[{"introduced":"= 18.95.0"},{"last_affected":"= 18.95.0"},{"introduced":"18.95.0"},{"last_affected":"18.95.0"}],"source":["AFFECTED_FIELD","CPE_STRING"]}}],"versions":["18.95.0","= 18.95.0","vscode-v18.95.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-48027.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"}]}