Skip to main content

Visual Studio Code EUVDEUVD-2026-35586

| CVE-2026-48569 MEDIUM
Improper Input Validation (CWE-20)
2026-06-09 secure@microsoft.com GHSA-3jqf-9c2w-8c5m
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
ENISA EUVD
HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

4
Severity Changed
Jun 12, 2026 - 17:07 NVD
HIGH MEDIUM
CVSS changed
Jun 12, 2026 - 17:07 NVD
7.1 (HIGH) 5.5 (MEDIUM)
Patch available
Jun 09, 2026 - 19:03 EUVD
Analysis Generated
Jun 09, 2026 - 17:49 vuln.today

DescriptionNVD

Improper input validation in Visual Studio Code allows an unauthorized attacker to bypass a security feature locally.

AnalysisAI

Security feature bypass in Microsoft Visual Studio Code allows a local unauthenticated attacker to circumvent a built-in protection mechanism through improper input validation, requiring user interaction to trigger. With CVSS 7.1 and scope-changed impact (S:C) yielding high confidentiality exposure, the flaw lets a crafted input cross VS Code's trust boundary on the local host. There is no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.

Technical ContextAI

Visual Studio Code is Microsoft's cross-platform Electron-based source code editor that ships with security features such as Workspace Trust, restricted-mode rendering, and extension sandboxing to contain untrusted repository content. The root cause is CWE-20 (Improper Input Validation), meaning the editor accepts or processes input in a way that does not sufficiently enforce expected structural or semantic constraints, enabling a security check to be bypassed. The scope-changed CVSS metric (S:C) indicates that the vulnerable VS Code component can affect resources beyond its own security authority - consistent with a Workspace Trust or sandbox boundary being undermined when a malicious workspace, file, or URI handler is opened.

RemediationAI

Apply the Microsoft-issued update for Visual Studio Code as documented in MSRC advisory CVE-2026-48569 at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-48569; exact fix version is not provided in the supplied data and must be confirmed against that advisory. Enable VS Code's auto-update channel so endpoints converge on the patched build, and in managed environments push the update through your endpoint management tool. Until patched, treat unknown repositories as untrusted by keeping Workspace Trust enabled (security.workspace.trust.enabled=true) and refusing to grant trust to cloned repos, avoid opening folders or files received from untrusted sources, and disable automatic opening of workspaces from URI handlers; these controls reduce the user-interaction surface that the bug requires but do not fully eliminate the bypass.

CVE-2022-41034 HIGH POC
7.8 Oct 11

Visual Studio Code Remote Code Execution Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is no authent

CVE-2022-30129 HIGH POC
8.8 May 10

Visual Studio Code Remote Code Execution Vulnerability. Rated high severity (CVSS 8.8), this vulnerability is remotely e

CVE-2026-47281 CRITICAL
9.6 Jun 09

Privilege escalation in Microsoft Visual Studio Code allows remote unauthenticated attackers to elevate privileges over

CVE-2026-57102 HIGH
8.8 Jul 14

Security-feature bypass in Microsoft Visual Studio Code lets a remote attacker deliver functionality from an untrusted c

CVE-2026-41109 HIGH
8.8 May 12

Improper neutralization of special elements in output used by a downstream component ('injection') in GitHub Copilot and

CVE-2024-43488 CRITICAL
9.8 Oct 08

Missing authentication for critical function in Visual Studio Code extension for Arduino allows an unauthenticated attac

CVE-2026-50520 HIGH
8.4 Jul 14

Local code execution in Microsoft Visual Studio Code stems from a command injection flaw (CWE-77) that lets an attacker

CVE-2026-45482 HIGH
8.4 Jun 09

Security feature bypass via path traversal in GitHub Copilot and Visual Studio Code allows a local unauthorized attacker

CVE-2026-40376 HIGH
8.1 Jun 09

Privilege escalation in Microsoft Visual Studio Code versions 1.0.0 through 1.119.0 allows remote unauthenticated attack

CVE-2026-47292 HIGH
7.8 Jun 09

Local privilege elevation in Microsoft Visual Studio Code allows an unprivileged attacker to gain higher privileges on a

CVE-2026-41611 HIGH
7.8 May 12

Improper neutralization of script-related html tags in a web page (basic xss) in Visual Studio Code allows an unauthoriz

CVE-2026-21518 HIGH
8.8 Feb 10

GitHub Copilot and Visual Studio Code are vulnerable to command injection attacks that allow unauthenticated attackers t

Share

EUVD-2026-35586 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy