Skip to main content

Visual Studio Code EUVDEUVD-2026-44276

| CVE-2026-57101 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-07-14 microsoft GHSA-8vjh-hxqp-x752
6.1
CVSS 3.1 · NVD
Share

Severity by source

Vendor (microsoft) PRIMARY
HIGH
qualitative
NVD
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
ENISA EUVD
HIGH
qualitative
vuln.today AI
7.1 HIGH

Local delivery of crafted content (AV:L) requiring the user to open it (UI:R), no auth (PR:N); a bypassed sandbox yields high confidentiality/integrity impact but no availability effect.

3.1 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
4.0 AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (microsoft).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

4
Severity Changed
Jul 16, 2026 - 15:52 NVD
HIGH MEDIUM
CVSS changed
Jul 16, 2026 - 15:52 NVD
7.1 (HIGH) 6.1 (MEDIUM)
Analysis Generated
Jul 14, 2026 - 18:56 vuln.today
CVE Published
Jul 14, 2026 - 17:09 nvd
HIGH 7.1

DescriptionNVD

Improper neutralization of input during web page generation ('cross-site scripting') in Visual Studio Code allows an unauthorized attacker to bypass a security feature locally.

AnalysisAI

Cross-site scripting in Microsoft Visual Studio Code lets an attacker who tricks a local user into opening crafted content bypass a built-in security feature and gain high-impact code execution within the editor context. The flaw (CWE-79) carries a CVSS 3.1 base score of 7.1 with a local attack vector requiring user interaction, and Microsoft has published an advisory with a fix. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft malicious file/repo with XSS payload
Delivery
Lure developer to open it locally
Exploit
VS Code renders unsanitized content
Execution
Script executes in editor context
Impact
Bypass security-feature sandbox

Vulnerability AssessmentAI

Exploitation Exploitation requires the victim to locally open or preview attacker-crafted content in VS Code - the CVSS UI:R confirms mandatory user interaction, and AV:L confirms local delivery rather than remote/network exploitation; no authentication is needed (PR:N). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N) describes a locally-delivered, low-complexity, unauthenticated issue that requires the victim to interact - consistent with a social-engineering delivery (open a malicious repo/file/notebook) rather than remote drive-by. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker publishes a repository or file (README, notebook, or extension-rendered content) containing an XSS payload and lures a developer into opening it in VS Code. When the victim opens or previews the crafted content, the injected script executes inside the editor's privileged rendering context and bypasses the intended sandbox/security feature. …
Remediation Patch available per vendor advisory - update Visual Studio Code to the fixed build referenced in Microsoft's MSRC guidance at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-57101 (exact fixed version not stated in the available data; confirm on that page). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all Visual Studio Code installations across the organization and send a security alert to development teams warning against opening untrusted files until patches are applied. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2022-41034 HIGH POC
7.8 Oct 11

Visual Studio Code Remote Code Execution Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is no authent

CVE-2022-30129 HIGH POC
8.8 May 10

Visual Studio Code Remote Code Execution Vulnerability. Rated high severity (CVSS 8.8), this vulnerability is remotely e

CVE-2026-47281 CRITICAL
9.6 Jun 09

Privilege escalation in Microsoft Visual Studio Code allows remote unauthenticated attackers to elevate privileges over

CVE-2026-57102 HIGH
8.8 Jul 14

Security-feature bypass in Microsoft Visual Studio Code lets a remote attacker deliver functionality from an untrusted c

CVE-2026-41109 HIGH
8.8 May 12

Improper neutralization of special elements in output used by a downstream component ('injection') in GitHub Copilot and

CVE-2024-43488 CRITICAL
9.8 Oct 08

Missing authentication for critical function in Visual Studio Code extension for Arduino allows an unauthenticated attac

CVE-2026-50520 HIGH
8.4 Jul 14

Local code execution in Microsoft Visual Studio Code stems from a command injection flaw (CWE-77) that lets an attacker

CVE-2026-45482 HIGH
8.4 Jun 09

Security feature bypass via path traversal in GitHub Copilot and Visual Studio Code allows a local unauthorized attacker

CVE-2026-40376 HIGH
8.1 Jun 09

Privilege escalation in Microsoft Visual Studio Code versions 1.0.0 through 1.119.0 allows remote unauthenticated attack

CVE-2026-47292 HIGH
7.8 Jun 09

Local privilege elevation in Microsoft Visual Studio Code allows an unprivileged attacker to gain higher privileges on a

CVE-2026-41611 HIGH
7.8 May 12

Improper neutralization of script-related html tags in a web page (basic xss) in Visual Studio Code allows an unauthoriz

CVE-2026-21518 HIGH
8.8 Feb 10

GitHub Copilot and Visual Studio Code are vulnerable to command injection attacks that allow unauthenticated attackers t

Share

EUVD-2026-44276 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy