Skip to main content

Microsoft Visual Studio 2026 Version 18 7

16 CVEs product

Monthly

CVE-2026-50659 MEDIUM PATCH Exploit Unlikely This Month

Improper encoding or escaping of output in .NET allows an authorized attacker to perform spoofing over a network.

Information Disclosure Net 10 0 Net 8 0 Net 9 0 Microsoft Visual Studio 2022 Version 17 12 +2
NVD
CVSS 3.1
6.5
EPSS
0.4%
CVE-2026-50651 HIGH PATCH Exploit Unlikely This Week

Network denial of service in Microsoft .NET 8.0, 9.0, and 10.0 (and the corresponding Visual Studio 2022/2026 tooling) allows an unauthorized remote attacker to exhaust system resources and render affected applications unavailable. The flaw stems from allocation of resources without limits or throttling, meaning a single crafted network interaction can trigger disproportionate resource consumption. Reported by Microsoft with a vendor patch available; no public exploit identified at time of analysis and it is not listed in CISA KEV.

Denial Of Service Net 10 0 Net 8 0 Net 9 0 Microsoft Visual Studio 2022 Version 17 12 +2
NVD
CVSS 3.1
7.5
EPSS
0.6%
CVE-2026-50650 HIGH PATCH Exploit Unlikely This Week

Local privilege elevation in Microsoft .NET Framework (and .NET 8.0/9.0 plus Visual Studio 2022/2026) via code injection (CWE-94) that lets an unauthorized attacker run code with full confidentiality, integrity, and availability impact after a victim is tricked into interacting with attacker-supplied content. Microsoft reported the issue and has shipped a patch; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. Exploitation requires local access and user interaction (UI:R), which meaningfully limits mass-exploitation despite the high 7.8 CVSS score.

RCE Code Injection Net 8 0 Net 9 0 Microsoft Net Framework 3 5 +8
NVD
CVSS 3.1
7.8
EPSS
0.3%
CVE-2026-50649 HIGH PATCH Exploit Unlikely This Week

Local code execution in Microsoft .NET 8.0 and 9.0 (and bundled Visual Studio 2022/2026 toolchains) arises from unsafe deserialization of untrusted data (CWE-502), letting an unprivileged local attacker run arbitrary code in the context of the targeted process once a user is lured into opening or processing a malicious serialized payload. The CVSS 3.1 base score is 7.8 with high impact to confidentiality, integrity, and availability, but the vector (AV:L/UI:R) confines it to local attacks that require user interaction. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Deserialization Net 8 0 Net 9 0 Microsoft Visual Studio 2022 Version 17 12 Microsoft Visual Studio 2022 Version 17 14 +1
NVD
CVSS 3.1
7.8
EPSS
0.9%
CVE-2026-50648 HIGH PATCH Exploit Unlikely This Week

Denial of service in Microsoft .NET (including .NET 8.0/9.0/10.0 and .NET Framework 3.5 through 4.8.1) lets a remote unauthenticated attacker exhaust server resources by sending crafted network traffic that triggers unbounded resource allocation. Rated CVSS 7.5 with availability-only impact, it affects default configurations of network-facing .NET applications; no public exploit identified at time of analysis and it is not listed in CISA KEV.

Denial Of Service Net 10 0 Net 8 0 Net 9 0 Microsoft Net Framework 3 5 +8
NVD
CVSS 3.1
7.5
EPSS
0.6%
CVE-2026-50646 HIGH PATCH Exploit Unlikely This Week

Local code execution in Microsoft .NET (Framework 3.5 through 4.8.1, .NET 8.0/9.0, and Visual Studio 2022/2026) arises from a protection mechanism failure (CWE-693) that lets an unauthorized attacker run arbitrary code once a victim is lured into opening a malicious file or project. The flaw requires user interaction (UI:R) and local delivery (AV:L) but no prior privileges (PR:N), yielding high confidentiality, integrity, and availability impact and a 7.8 CVSS score. There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV, but the ubiquity of .NET on Windows makes patching a priority.

Authentication Bypass Net 8 0 Net 9 0 Microsoft Net Framework 3 5 Microsoft Net Framework 3 5 And 4 7 2 +7
NVD
CVSS 3.1
7.8
EPSS
1.6%
CVE-2026-50528 HIGH PATCH Exploit Unlikely This Week

Security feature bypass in Microsoft .NET (versions 8.0, 9.0, and 10.0) lets a remote, unauthenticated attacker circumvent an authorization control over the network due to incorrect authorization logic (CWE-863). Rated CVSS 8.2, the flaw carries a high integrity impact and requires no privileges or user interaction, though there is no public exploit identified at time of analysis and it is not listed in CISA KEV. Microsoft has released a patch, and the affected surface also includes Visual Studio 2022 (17.12, 17.14) and Visual Studio 2026 (18.7) tooling that bundle the runtime.

Authentication Bypass Net 10 0 Net 8 0 Net 9 0 Microsoft Visual Studio 2022 Version 17 12 +2
NVD
CVSS 3.1
8.2
EPSS
0.4%
CVE-2026-50527 HIGH PATCH Exploit Unlikely This Week

Denial of service in Microsoft .NET (versions 8.0, 9.0, and 10.0) and .NET Framework (3.5 through 4.8.1) allows a remote, unauthenticated attacker to crash affected applications by triggering a stack-based buffer overflow (CWE-121) over the network. The flaw impacts availability only - there is no confidentiality or integrity loss and no code execution per the CVSS vector (A:H, C:N, I:N). Microsoft has published an advisory with fixes; there is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.

Buffer Overflow Stack Overflow Net 10 0 Net 8 0 Net 9 0 +9
NVD
CVSS 3.1
7.5
EPSS
0.6%
CVE-2026-50526 HIGH PATCH Exploit Unlikely This Week

Local tampering via symbolic-link following in Microsoft .NET (versions 8.0, 9.0, and 10.0) and the bundled toolchain in Visual Studio 2022 (17.12, 17.14) and Visual Studio 2026 (18.7) allows an authorized local attacker to redirect a privileged file operation to an unintended target, corrupting or replacing files outside their normal permissions. Microsoft (the reporter) has released a fix; there is no public exploit identified at time of analysis and the issue is not listed in CISA KEV. The high CVSS 3.1 base score of 7.0 is tempered by high attack complexity and the requirement for existing low-level local access.

Information Disclosure Net 10 0 Net 8 0 Net 9 0 Microsoft Visual Studio 2022 Version 17 12 +2
NVD
CVSS 3.1
7.0
EPSS
0.2%
CVE-2026-50525 HIGH PATCH Exploit Unlikely This Week

Network-based denial of service in Microsoft .NET 8.0, 9.0, and 10.0 allows an unauthenticated remote attacker to exhaust server resources and render applications unresponsive by exploiting uncontrolled resource allocation (CWE-770) in the runtime. The flaw carries CVSS 7.5 (availability-only impact) and affects the shared .NET runtime that underpins ASP.NET Core web services, so any internet-facing .NET workload is exposed. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; Microsoft has released a fix.

Denial Of Service Net 10 0 Net 8 0 Net 9 0 Microsoft Visual Studio 2022 Version 17 12 +2
NVD
CVSS 3.1
7.5
EPSS
0.6%
CVE-2026-50524 HIGH PATCH Exploit Unlikely This Week

Remote denial of service in Microsoft .NET (versions 8.0, 9.0, and 10.0) allows an unauthenticated network attacker to crash or hang the runtime by sending crafted input that fails proper type validation (CWE-1287). The flaw carries a CVSS 7.5 rating driven entirely by availability impact (A:H) with no confidentiality or integrity loss, and no public exploit has been identified at time of analysis. Microsoft has released a patch; there is no indication of active exploitation.

Authentication Bypass Net 10 0 Net 8 0 Net 9 0 Microsoft Visual Studio 2022 Version 17 12 +2
NVD VulDB
CVSS 3.1
7.5
EPSS
0.6%
CVE-2026-47305 HIGH PATCH This Week

Local code execution in Microsoft Visual Studio (2022 versions 17.12 and 17.14, and 2026 version 18.7) stems from a protection mechanism failure that lets an unauthorized attacker run arbitrary code once a victim is convinced to open or interact with a malicious project, file, or solution. Microsoft has published a fix, but there is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV. The CVSS 3.1 base score is 7.8, reflecting high confidentiality, integrity, and availability impact requiring local access plus user interaction.

Authentication Bypass Microsoft Visual Studio 2022 Version 17 12 Microsoft Visual Studio 2022 Version 17 14 Microsoft Visual Studio 2026 Version 18 7
NVD
CVSS 3.1
7.8
EPSS
0.3%
CVE-2026-47304 HIGH PATCH Exploit Unlikely This Week

Security feature bypass in Microsoft .NET (shipped via Visual Studio 2022 17.12/17.14 and Visual Studio 2026 18.7) lets a remote, unauthenticated attacker defeat a cryptographic-signature check over the network — most likely a JWT/token signature verification flaw per the vendor 'Jwt Attack' and 'Authentication Bypass' tags. By forging or tampering with signed data the runtime fails to validate correctly, an attacker can impersonate trusted principals and undermine an authentication or integrity control. Microsoft has released a patch; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Authentication Bypass Jwt Attack Microsoft Visual Studio 2022 Version 17 12 Microsoft Visual Studio 2022 Version 17 14 Microsoft Visual Studio 2026 Version 18 7
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-47303 HIGH PATCH Exploit Unlikely This Week

Privilege elevation in ASP.NET Core (bundled with .NET 8.0, 9.0, and 10.0) lets an already-authenticated, low-privileged network attacker bypass authentication controls by tampering with data the framework wrongly assumes to be immutable (CWE-302). Microsoft reported and patched the flaw; there is no public exploit identified at time of analysis and it is not on CISA KEV. At CVSS 8.8 with PR:L, an authorized user can escalate to higher privileges over the network.

Authentication Bypass Net 10 0 Net 8 0 Net 9 0 Microsoft Visual Studio 2022 Version 17 12 +2
NVD
CVSS 3.1
8.8
EPSS
0.6%
CVE-2026-47302 HIGH PATCH Exploit Unlikely This Week

Denial of service in Microsoft .NET (versions 8.0, 9.0, and 10.0) and the legacy .NET Framework (3.5 through 4.8.1) allows a remote unauthenticated attacker to exhaust server resources over the network, causing availability loss. The flaw stems from missing limits or throttling on resource allocation (CWE-770), and Microsoft has released a patch via MSRC. There is no public exploit identified at time of analysis, and EPSS/KEV data were not supplied, so this appears to be a proactively patched issue rather than one under active exploitation.

Denial Of Service Net 10 0 Net 8 0 Net 9 0 Microsoft Net Framework 3 5 +8
NVD
CVSS 3.1
7.5
EPSS
0.8%
CVE-2026-47300 HIGH PATCH Exploit Unlikely This Week

Privilege elevation in ASP.NET Core (bundled with .NET 8.0, 9.0, and 10.0) lets an already-authenticated, low-privileged network attacker gain higher privileges by abusing a flawed authentication algorithm implementation (CWE-303). Microsoft reported the flaw and has released a patch; there is no public exploit identified at time of analysis and it is not on the CISA KEV. The 8.8 CVSS reflects high confidentiality, integrity, and availability impact reachable over the network with only low prior privileges.

Information Disclosure Net 10 0 Net 8 0 Net 9 0 Microsoft Visual Studio 2022 Version 17 12 +2
NVD
CVSS 3.1
8.8
EPSS
0.5%
EPSS 0% CVSS 6.5
MEDIUM PATCH Exploit Unlikely This Month

Improper encoding or escaping of output in .NET allows an authorized attacker to perform spoofing over a network.

Information Disclosure Net 10 0 Net 8 0 +4
NVD
EPSS 1% CVSS 7.5
HIGH PATCH Exploit Unlikely This Week

Network denial of service in Microsoft .NET 8.0, 9.0, and 10.0 (and the corresponding Visual Studio 2022/2026 tooling) allows an unauthorized remote attacker to exhaust system resources and render affected applications unavailable. The flaw stems from allocation of resources without limits or throttling, meaning a single crafted network interaction can trigger disproportionate resource consumption. Reported by Microsoft with a vendor patch available; no public exploit identified at time of analysis and it is not listed in CISA KEV.

Denial Of Service Net 10 0 Net 8 0 +4
NVD
EPSS 0% CVSS 7.8
HIGH PATCH Exploit Unlikely This Week

Local privilege elevation in Microsoft .NET Framework (and .NET 8.0/9.0 plus Visual Studio 2022/2026) via code injection (CWE-94) that lets an unauthorized attacker run code with full confidentiality, integrity, and availability impact after a victim is tricked into interacting with attacker-supplied content. Microsoft reported the issue and has shipped a patch; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. Exploitation requires local access and user interaction (UI:R), which meaningfully limits mass-exploitation despite the high 7.8 CVSS score.

RCE Code Injection Net 8 0 +10
NVD
EPSS 1% CVSS 7.8
HIGH PATCH Exploit Unlikely This Week

Local code execution in Microsoft .NET 8.0 and 9.0 (and bundled Visual Studio 2022/2026 toolchains) arises from unsafe deserialization of untrusted data (CWE-502), letting an unprivileged local attacker run arbitrary code in the context of the targeted process once a user is lured into opening or processing a malicious serialized payload. The CVSS 3.1 base score is 7.8 with high impact to confidentiality, integrity, and availability, but the vector (AV:L/UI:R) confines it to local attacks that require user interaction. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Deserialization Net 8 0 Net 9 0 +3
NVD
EPSS 1% CVSS 7.5
HIGH PATCH Exploit Unlikely This Week

Denial of service in Microsoft .NET (including .NET 8.0/9.0/10.0 and .NET Framework 3.5 through 4.8.1) lets a remote unauthenticated attacker exhaust server resources by sending crafted network traffic that triggers unbounded resource allocation. Rated CVSS 7.5 with availability-only impact, it affects default configurations of network-facing .NET applications; no public exploit identified at time of analysis and it is not listed in CISA KEV.

Denial Of Service Net 10 0 Net 8 0 +10
NVD
EPSS 2% CVSS 7.8
HIGH PATCH Exploit Unlikely This Week

Local code execution in Microsoft .NET (Framework 3.5 through 4.8.1, .NET 8.0/9.0, and Visual Studio 2022/2026) arises from a protection mechanism failure (CWE-693) that lets an unauthorized attacker run arbitrary code once a victim is lured into opening a malicious file or project. The flaw requires user interaction (UI:R) and local delivery (AV:L) but no prior privileges (PR:N), yielding high confidentiality, integrity, and availability impact and a 7.8 CVSS score. There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV, but the ubiquity of .NET on Windows makes patching a priority.

Authentication Bypass Net 8 0 Net 9 0 +9
NVD
EPSS 0% CVSS 8.2
HIGH PATCH Exploit Unlikely This Week

Security feature bypass in Microsoft .NET (versions 8.0, 9.0, and 10.0) lets a remote, unauthenticated attacker circumvent an authorization control over the network due to incorrect authorization logic (CWE-863). Rated CVSS 8.2, the flaw carries a high integrity impact and requires no privileges or user interaction, though there is no public exploit identified at time of analysis and it is not listed in CISA KEV. Microsoft has released a patch, and the affected surface also includes Visual Studio 2022 (17.12, 17.14) and Visual Studio 2026 (18.7) tooling that bundle the runtime.

Authentication Bypass Net 10 0 Net 8 0 +4
NVD
EPSS 1% CVSS 7.5
HIGH PATCH Exploit Unlikely This Week

Denial of service in Microsoft .NET (versions 8.0, 9.0, and 10.0) and .NET Framework (3.5 through 4.8.1) allows a remote, unauthenticated attacker to crash affected applications by triggering a stack-based buffer overflow (CWE-121) over the network. The flaw impacts availability only - there is no confidentiality or integrity loss and no code execution per the CVSS vector (A:H, C:N, I:N). Microsoft has published an advisory with fixes; there is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.

Buffer Overflow Stack Overflow Net 10 0 +11
NVD
EPSS 0% CVSS 7.0
HIGH PATCH Exploit Unlikely This Week

Local tampering via symbolic-link following in Microsoft .NET (versions 8.0, 9.0, and 10.0) and the bundled toolchain in Visual Studio 2022 (17.12, 17.14) and Visual Studio 2026 (18.7) allows an authorized local attacker to redirect a privileged file operation to an unintended target, corrupting or replacing files outside their normal permissions. Microsoft (the reporter) has released a fix; there is no public exploit identified at time of analysis and the issue is not listed in CISA KEV. The high CVSS 3.1 base score of 7.0 is tempered by high attack complexity and the requirement for existing low-level local access.

Information Disclosure Net 10 0 Net 8 0 +4
NVD
EPSS 1% CVSS 7.5
HIGH PATCH Exploit Unlikely This Week

Network-based denial of service in Microsoft .NET 8.0, 9.0, and 10.0 allows an unauthenticated remote attacker to exhaust server resources and render applications unresponsive by exploiting uncontrolled resource allocation (CWE-770) in the runtime. The flaw carries CVSS 7.5 (availability-only impact) and affects the shared .NET runtime that underpins ASP.NET Core web services, so any internet-facing .NET workload is exposed. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; Microsoft has released a fix.

Denial Of Service Net 10 0 Net 8 0 +4
NVD
EPSS 1% CVSS 7.5
HIGH PATCH Exploit Unlikely This Week

Remote denial of service in Microsoft .NET (versions 8.0, 9.0, and 10.0) allows an unauthenticated network attacker to crash or hang the runtime by sending crafted input that fails proper type validation (CWE-1287). The flaw carries a CVSS 7.5 rating driven entirely by availability impact (A:H) with no confidentiality or integrity loss, and no public exploit has been identified at time of analysis. Microsoft has released a patch; there is no indication of active exploitation.

Authentication Bypass Net 10 0 Net 8 0 +4
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local code execution in Microsoft Visual Studio (2022 versions 17.12 and 17.14, and 2026 version 18.7) stems from a protection mechanism failure that lets an unauthorized attacker run arbitrary code once a victim is convinced to open or interact with a malicious project, file, or solution. Microsoft has published a fix, but there is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV. The CVSS 3.1 base score is 7.8, reflecting high confidentiality, integrity, and availability impact requiring local access plus user interaction.

Authentication Bypass Microsoft Visual Studio 2022 Version 17 12 Microsoft Visual Studio 2022 Version 17 14 +1
NVD
EPSS 0% CVSS 8.1
HIGH PATCH Exploit Unlikely This Week

Security feature bypass in Microsoft .NET (shipped via Visual Studio 2022 17.12/17.14 and Visual Studio 2026 18.7) lets a remote, unauthenticated attacker defeat a cryptographic-signature check over the network — most likely a JWT/token signature verification flaw per the vendor 'Jwt Attack' and 'Authentication Bypass' tags. By forging or tampering with signed data the runtime fails to validate correctly, an attacker can impersonate trusted principals and undermine an authentication or integrity control. Microsoft has released a patch; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Authentication Bypass Jwt Attack Microsoft Visual Studio 2022 Version 17 12 +2
NVD
EPSS 1% CVSS 8.8
HIGH PATCH Exploit Unlikely This Week

Privilege elevation in ASP.NET Core (bundled with .NET 8.0, 9.0, and 10.0) lets an already-authenticated, low-privileged network attacker bypass authentication controls by tampering with data the framework wrongly assumes to be immutable (CWE-302). Microsoft reported and patched the flaw; there is no public exploit identified at time of analysis and it is not on CISA KEV. At CVSS 8.8 with PR:L, an authorized user can escalate to higher privileges over the network.

Authentication Bypass Net 10 0 Net 8 0 +4
NVD
EPSS 1% CVSS 7.5
HIGH PATCH Exploit Unlikely This Week

Denial of service in Microsoft .NET (versions 8.0, 9.0, and 10.0) and the legacy .NET Framework (3.5 through 4.8.1) allows a remote unauthenticated attacker to exhaust server resources over the network, causing availability loss. The flaw stems from missing limits or throttling on resource allocation (CWE-770), and Microsoft has released a patch via MSRC. There is no public exploit identified at time of analysis, and EPSS/KEV data were not supplied, so this appears to be a proactively patched issue rather than one under active exploitation.

Denial Of Service Net 10 0 Net 8 0 +10
NVD
EPSS 1% CVSS 8.8
HIGH PATCH Exploit Unlikely This Week

Privilege elevation in ASP.NET Core (bundled with .NET 8.0, 9.0, and 10.0) lets an already-authenticated, low-privileged network attacker gain higher privileges by abusing a flawed authentication algorithm implementation (CWE-303). Microsoft reported the flaw and has released a patch; there is no public exploit identified at time of analysis and it is not on the CISA KEV. The 8.8 CVSS reflects high confidentiality, integrity, and availability impact reachable over the network with only low prior privileges.

Information Disclosure Net 10 0 Net 8 0 +4
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy