Skip to main content

Visual Studio Code CVE-2026-47284

| EUVDEUVD-2026-35574 MEDIUM
Information Exposure (CWE-200)
2026-06-09 secure@microsoft.com GHSA-ggv7-g73m-p34c
6.5
CVSS 3.1 · NVD
Temporal: 5.7
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
ENISA EUVD
HIGH
qualitative
CIRCL (temporal)
5.7 MEDIUM
cvss

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 09, 2026 - 19:36 vuln.today
Patch available
Jun 09, 2026 - 19:03 EUVD

DescriptionNVD

Exposure of sensitive information to an unauthorized actor in Visual Studio Code allows an unauthorized attacker to disclose information over a network.

AnalysisAI

Information disclosure in Visual Studio Code versions 1.0.0 through 1.123.0 allows an unauthenticated remote attacker to exfiltrate sensitive information over a network by inducing user interaction. The CVSS vector (AV:N/AC:L/PR:N/UI:R/C:H) indicates that while no authentication or elevated complexity is required on the attacker's side, the victim must perform some interaction to trigger the exposure - likely opening a malicious file, workspace, or following a crafted link within the IDE environment. No public exploit code or CISA KEV listing has been identified at time of analysis, but the high confidentiality impact and zero-privilege requirement make this a meaningful risk for developer workstations handling secrets, tokens, or source code.

Technical ContextAI

Visual Studio Code is Microsoft's Electron-based cross-platform IDE, widely deployed in enterprise and developer environments where it routinely processes source code containing credentials, API keys, and configuration secrets. CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) describes a root cause where the application inadvertently surfaces sensitive data to a party that should not have access - this can manifest as unintended network requests leaking file contents, workspace data, or environment variables to an attacker-controlled endpoint. The network attack vector (AV:N) combined with unchanged scope (S:U) suggests the disclosure occurs within the VS Code process boundary rather than escaping to the underlying OS. The ENISA EUVD identifier EUVD-2026-35574 corroborates the NVD/MSRC record. The affected CPE range covers all VS Code releases from 1.0.0 up to but not including 1.123.1.

RemediationAI

Upgrade Visual Studio Code to version 1.123.1 or later, which contains the vendor-released patch per Microsoft's Security Response Center advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-47284. The fix version 1.123.1 is confirmed by ENISA EUVD-2026-35574 sourced from the affected version range. Users can update via the VS Code built-in updater (Help > Check for Updates) or by downloading the latest release from the official Microsoft distribution channel. As a compensating control prior to patching, administrators should advise developers to avoid opening untrusted workspaces, files, or extensions, and to disable any VS Code features that make outbound network requests to external or unrecognized endpoints (e.g., experimental features, third-party extensions with network permissions). Disabling untrusted workspace mode and restricting extension installations to verified publishers reduces the attack surface, though these controls do not eliminate the underlying vulnerability and carry the trade-off of reduced developer productivity.

CVE-2022-41034 HIGH POC
7.8 Oct 11

Visual Studio Code Remote Code Execution Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is no authent

CVE-2022-30129 HIGH POC
8.8 May 10

Visual Studio Code Remote Code Execution Vulnerability. Rated high severity (CVSS 8.8), this vulnerability is remotely e

CVE-2026-47281 CRITICAL
9.6 Jun 09

Privilege escalation in Microsoft Visual Studio Code allows remote unauthenticated attackers to elevate privileges over

CVE-2026-57102 HIGH
8.8 Jul 14

Security-feature bypass in Microsoft Visual Studio Code lets a remote attacker deliver functionality from an untrusted c

CVE-2026-41109 HIGH
8.8 May 12

Improper neutralization of special elements in output used by a downstream component ('injection') in GitHub Copilot and

CVE-2024-43488 CRITICAL
9.8 Oct 08

Missing authentication for critical function in Visual Studio Code extension for Arduino allows an unauthenticated attac

CVE-2026-50520 HIGH
8.4 Jul 14

Local code execution in Microsoft Visual Studio Code stems from a command injection flaw (CWE-77) that lets an attacker

CVE-2026-45482 HIGH
8.4 Jun 09

Security feature bypass via path traversal in GitHub Copilot and Visual Studio Code allows a local unauthorized attacker

CVE-2026-40376 HIGH
8.1 Jun 09

Privilege escalation in Microsoft Visual Studio Code versions 1.0.0 through 1.119.0 allows remote unauthenticated attack

CVE-2026-47292 HIGH
7.8 Jun 09

Local privilege elevation in Microsoft Visual Studio Code allows an unprivileged attacker to gain higher privileges on a

CVE-2026-41611 HIGH
7.8 May 12

Improper neutralization of script-related html tags in a web page (basic xss) in Visual Studio Code allows an unauthoriz

CVE-2026-21518 HIGH
8.8 Feb 10

GitHub Copilot and Visual Studio Code are vulnerable to command injection attacks that allow unauthenticated attackers t

Share

CVE-2026-47284 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy