Skip to main content

Visual Studio Code EUVDEUVD-2026-35698

| CVE-2026-47287 MEDIUM
Relative Path Traversal (CWE-23)
2026-06-09 secure@microsoft.com GHSA-cw93-p7fx-xgqx
6.5
CVSS 3.1 · NVD
Temporal: 5.7
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
ENISA EUVD
HIGH
qualitative
CIRCL (temporal)
5.7 MEDIUM
cvss

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 09, 2026 - 19:35 vuln.today
Patch available
Jun 09, 2026 - 19:03 EUVD

DescriptionNVD

Relative path traversal in Visual Studio Code allows an unauthorized attacker to perform tampering over a network.

AnalysisAI

Relative path traversal in Visual Studio Code versions prior to 1.123.1 enables unauthenticated remote attackers to tamper with files outside the intended directory boundary, producing a high integrity impact with no confidentiality or availability loss. The CVSS vector (AV:N/AC:L/PR:N/UI:R) indicates the attack requires no privileges and is low-complexity over a network, but depends on a victim interacting with attacker-controlled content. No public exploit code has been identified and this CVE is not listed in the CISA KEV catalog at time of analysis.

Technical ContextAI

CWE-23 (Relative Path Traversal) describes a failure to sanitize relative path sequences such as '../' or './' within user-controlled input before using it to construct file system paths. In Visual Studio Code, a widely deployed Electron-based IDE by Microsoft, this class of flaw can manifest in workspace or extension processing code that accepts externally-supplied path components without normalization, allowing writes to escape the intended working directory. The affected version range per EUVD is Visual Studio Code 1.0.0 through below 1.123.1. The network attack vector with user interaction suggests the vulnerability is triggered when a user opens a crafted file, workspace configuration, or remote resource within the editor rather than through an autonomous server-side code path.

RemediationAI

The primary remediation is to upgrade Visual Studio Code to version 1.123.1 or later, which addresses the relative path traversal per the vendor-released patch. The Microsoft Security Response Center advisory is available at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-47287. As a compensating control where immediate upgrade is not feasible, restrict opening of untrusted workspaces, workspace files (.code-workspace), or repository folders from unknown sources, as user interaction is required to trigger the vulnerability - preventing exposure to untrusted content directly limits exploitation opportunity. Note that this control relies on user discipline and does not eliminate the underlying flaw. No additional workarounds were specified in vendor guidance at time of analysis.

CVE-2022-41034 HIGH POC
7.8 Oct 11

Visual Studio Code Remote Code Execution Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is no authent

CVE-2022-30129 HIGH POC
8.8 May 10

Visual Studio Code Remote Code Execution Vulnerability. Rated high severity (CVSS 8.8), this vulnerability is remotely e

CVE-2026-47281 CRITICAL
9.6 Jun 09

Privilege escalation in Microsoft Visual Studio Code allows remote unauthenticated attackers to elevate privileges over

CVE-2026-57102 HIGH
8.8 Jul 14

Security-feature bypass in Microsoft Visual Studio Code lets a remote attacker deliver functionality from an untrusted c

CVE-2026-41109 HIGH
8.8 May 12

Improper neutralization of special elements in output used by a downstream component ('injection') in GitHub Copilot and

CVE-2024-43488 CRITICAL
9.8 Oct 08

Missing authentication for critical function in Visual Studio Code extension for Arduino allows an unauthenticated attac

CVE-2026-50520 HIGH
8.4 Jul 14

Local code execution in Microsoft Visual Studio Code stems from a command injection flaw (CWE-77) that lets an attacker

CVE-2026-45482 HIGH
8.4 Jun 09

Security feature bypass via path traversal in GitHub Copilot and Visual Studio Code allows a local unauthorized attacker

CVE-2026-40376 HIGH
8.1 Jun 09

Privilege escalation in Microsoft Visual Studio Code versions 1.0.0 through 1.119.0 allows remote unauthenticated attack

CVE-2026-47292 HIGH
7.8 Jun 09

Local privilege elevation in Microsoft Visual Studio Code allows an unprivileged attacker to gain higher privileges on a

CVE-2026-41611 HIGH
7.8 May 12

Improper neutralization of script-related html tags in a web page (basic xss) in Visual Studio Code allows an unauthoriz

CVE-2026-21518 HIGH
8.8 Feb 10

GitHub Copilot and Visual Studio Code are vulnerable to command injection attacks that allow unauthenticated attackers t

Share

EUVD-2026-35698 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy