Skip to main content

Visual Studio Code CVE-2026-47292

| EUVDEUVD-2026-35502 HIGH
Code Injection (CWE-94)
2026-06-09 secure@microsoft.com GHSA-5qvv-w9jp-w335
7.8
CVSS 3.1 · NVD
Temporal: 6.8
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
ENISA EUVD
HIGH
qualitative
CIRCL (temporal)
6.8 MEDIUM
cvss

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Patch available
Jun 09, 2026 - 19:03 EUVD
Analysis Generated
Jun 09, 2026 - 17:56 vuln.today

DescriptionNVD

Inclusion of functionality from untrusted control sphere in Visual Studio Code allows an unauthorized attacker to elevate privileges locally.

AnalysisAI

Local privilege elevation in Microsoft Visual Studio Code allows an unprivileged attacker to gain higher privileges on a host by tricking a user into triggering inclusion of functionality from an untrusted control sphere (CWE-94 code injection class). The flaw requires user interaction and local access per the CVSS vector (AV:L/UI:R), yielding full confidentiality, integrity, and availability impact at CVSS 7.8. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Technical ContextAI

Visual Studio Code is Microsoft's cross-platform Electron-based source code editor that loads extensions, workspace settings, tasks, and scripts from project directories. CWE-94 (Improper Control of Generation of Code / 'Code Injection') combined with the MSRC categorization of 'Inclusion of functionality from untrusted control sphere' indicates VS Code is loading or executing code from a location an attacker can influence - common patterns include workspace-scoped settings, debug configurations, task definitions, or extension manifests that get auto-evaluated when a project is opened. Because VS Code runs renderer and extension host processes under the invoking user's token, code injected through these untrusted channels executes with that user's privileges, which on developer workstations is frequently a local admin or a user with access to sensitive credentials, source code, and signing keys.

RemediationAI

Patch availability is indicated by the MSRC update-guide reference but no exact fixed version is present in the supplied data, so the practical step is to consult https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-47292 and upgrade Visual Studio Code to the patched build identified there across all developer endpoints, then verify via Help > About. Compensating controls while patching rolls out: instruct users to avoid opening untrusted repositories or archives in VS Code, keep Workspace Trust enabled (Settings > security.workspace.trust.enabled = true) so untrusted folders open in restricted mode that blocks tasks, debugging, and most extensions - accepting the trade-off that developers must explicitly trust legitimate workspaces; disable automatic execution of tasks and debug configurations on folder open; and consider blocking auto-installation of unvetted extensions via the extensions.autoUpdate and allowed-extensions enterprise policies, which adds review overhead but reduces the untrusted-content attack surface.

CVE-2022-41034 HIGH POC
7.8 Oct 11

Visual Studio Code Remote Code Execution Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is no authent

CVE-2022-30129 HIGH POC
8.8 May 10

Visual Studio Code Remote Code Execution Vulnerability. Rated high severity (CVSS 8.8), this vulnerability is remotely e

CVE-2026-47281 CRITICAL
9.6 Jun 09

Privilege escalation in Microsoft Visual Studio Code allows remote unauthenticated attackers to elevate privileges over

CVE-2026-57102 HIGH
8.8 Jul 14

Security-feature bypass in Microsoft Visual Studio Code lets a remote attacker deliver functionality from an untrusted c

CVE-2026-41109 HIGH
8.8 May 12

Improper neutralization of special elements in output used by a downstream component ('injection') in GitHub Copilot and

CVE-2024-43488 CRITICAL
9.8 Oct 08

Missing authentication for critical function in Visual Studio Code extension for Arduino allows an unauthenticated attac

CVE-2026-50520 HIGH
8.4 Jul 14

Local code execution in Microsoft Visual Studio Code stems from a command injection flaw (CWE-77) that lets an attacker

CVE-2026-45482 HIGH
8.4 Jun 09

Security feature bypass via path traversal in GitHub Copilot and Visual Studio Code allows a local unauthorized attacker

CVE-2026-40376 HIGH
8.1 Jun 09

Privilege escalation in Microsoft Visual Studio Code versions 1.0.0 through 1.119.0 allows remote unauthenticated attack

CVE-2026-41611 HIGH
7.8 May 12

Improper neutralization of script-related html tags in a web page (basic xss) in Visual Studio Code allows an unauthoriz

CVE-2026-21518 HIGH
8.8 Feb 10

GitHub Copilot and Visual Studio Code are vulnerable to command injection attacks that allow unauthenticated attackers t

CVE-2024-26165 HIGH
8.8 Mar 12

Visual Studio Code Elevation of Privilege Vulnerability. Rated high severity (CVSS 8.8), this vulnerability is remotely

Share

CVE-2026-47292 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy