Skip to main content

Visual Studio Code EUVDEUVD-2026-44277

| CVE-2026-57102 HIGH
Inclusion of Functionality from Untrusted Control Sphere (CWE-829)
2026-07-14 microsoft GHSA-3r7w-m284-m5r3
8.8
CVSS 3.1 · Vendor: microsoft
Share

Severity by source

Vendor (microsoft) PRIMARY
8.8 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
ENISA EUVD
HIGH
qualitative
vuln.today AI
8.8 HIGH

Network-delivered untrusted content needs no privileges (PR:N) but requires the victim to open it (UI:R); inclusion of untrusted functionality yields high C/I/A within the editor's unchanged scope.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (microsoft).

CVSS VectorVendor: microsoft

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jul 14, 2026 - 18:55 vuln.today
CVE Published
Jul 14, 2026 - 17:09 nvd
HIGH 8.8

DescriptionCVE.org

Inclusion of functionality from untrusted control sphere in Visual Studio Code allows an unauthorized attacker to bypass a security feature over a network.

AnalysisAI

Security-feature bypass in Microsoft Visual Studio Code lets a remote attacker deliver functionality from an untrusted control sphere (CWE-829) that circumvents a built-in protection, yielding high confidentiality, integrity, and availability impact once a victim opens or interacts with attacker-supplied content. Rated CVSS 8.8 (AV:N/AC:L/PR:N/UI:R), it requires user interaction but no authentication, and Microsoft has released a fix via MSRC. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Host malicious repository or file
Delivery
Lure developer to open in VS Code
Exploit
Untrusted functionality loaded and included
Execution
Bypass security feature
Impact
Compromise editor confidentiality/integrity/availability

Vulnerability AssessmentAI

Exploitation Exploitation requires user interaction (CVSS UI:R): the victim must open or interact with attacker-controlled content in Visual Studio Code - such as a malicious repository, workspace, file, or link that causes the editor to include functionality from an untrusted control sphere. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H drives the 8.8 score: network vector, low complexity, no privileges, but mandatory user interaction (UI:R) - meaning a victim must open a repository, file, or link. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a malicious repository or file - for example a project with hostile workspace configuration or a component referenced from an untrusted location - and lures a developer into opening it in Visual Studio Code. When the victim opens the content (UI:R), the untrusted functionality loads and bypasses the intended security feature, giving the attacker high-impact control over the editor's context. …
Remediation Patch available per vendor advisory: update Visual Studio Code to the fixed release identified in the MSRC guide at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-57102 (the exact patched version is listed there; it is not restated in this feed, so consult MSRC for the precise build). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, inventory all VSCode installations and document current versions in deployment. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2022-41034 HIGH POC
7.8 Oct 11

Visual Studio Code Remote Code Execution Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is no authent

CVE-2022-30129 HIGH POC
8.8 May 10

Visual Studio Code Remote Code Execution Vulnerability. Rated high severity (CVSS 8.8), this vulnerability is remotely e

CVE-2026-47281 CRITICAL
9.6 Jun 09

Privilege escalation in Microsoft Visual Studio Code allows remote unauthenticated attackers to elevate privileges over

CVE-2026-41109 HIGH
8.8 May 12

Improper neutralization of special elements in output used by a downstream component ('injection') in GitHub Copilot and

CVE-2024-43488 CRITICAL
9.8 Oct 08

Missing authentication for critical function in Visual Studio Code extension for Arduino allows an unauthenticated attac

CVE-2026-50520 HIGH
8.4 Jul 14

Local code execution in Microsoft Visual Studio Code stems from a command injection flaw (CWE-77) that lets an attacker

CVE-2026-45482 HIGH
8.4 Jun 09

Security feature bypass via path traversal in GitHub Copilot and Visual Studio Code allows a local unauthorized attacker

CVE-2026-40376 HIGH
8.1 Jun 09

Privilege escalation in Microsoft Visual Studio Code versions 1.0.0 through 1.119.0 allows remote unauthenticated attack

CVE-2026-47292 HIGH
7.8 Jun 09

Local privilege elevation in Microsoft Visual Studio Code allows an unprivileged attacker to gain higher privileges on a

CVE-2026-41611 HIGH
7.8 May 12

Improper neutralization of script-related html tags in a web page (basic xss) in Visual Studio Code allows an unauthoriz

CVE-2026-21518 HIGH
8.8 Feb 10

GitHub Copilot and Visual Studio Code are vulnerable to command injection attacks that allow unauthenticated attackers t

CVE-2024-26165 HIGH
8.8 Mar 12

Visual Studio Code Elevation of Privilege Vulnerability. Rated high severity (CVSS 8.8), this vulnerability is remotely

Share

EUVD-2026-44277 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy