Skip to main content

Visual Studio Code

64 CVEs product

Monthly

CVE-2026-57102 HIGH PATCH This Week

Security-feature bypass in Microsoft Visual Studio Code lets a remote attacker deliver functionality from an untrusted control sphere (CWE-829) that circumvents a built-in protection, yielding high confidentiality, integrity, and availability impact once a victim opens or interacts with attacker-supplied content. Rated CVSS 8.8 (AV:N/AC:L/PR:N/UI:R), it requires user interaction but no authentication, and Microsoft has released a fix via MSRC. There is no public exploit identified at time of analysis and it is not on the CISA KEV list.

Authentication Bypass Visual Studio Code
NVD
CVSS 3.1
8.8
EPSS
0.8%
CVE-2026-57101 HIGH PATCH Exploit Unlikely This Week

Cross-site scripting in Microsoft Visual Studio Code lets an attacker who tricks a local user into opening crafted content bypass a built-in security feature and gain high-impact code execution within the editor context. The flaw (CWE-79) carries a CVSS 3.1 base score of 7.1 with a local attack vector requiring user interaction, and Microsoft has published an advisory with a fix. There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.

XSS Visual Studio Code
NVD
CVSS 3.1
7.1
EPSS
0.4%
CVE-2026-50520 HIGH PATCH Exploit Unlikely This Week

Local code execution in Microsoft Visual Studio Code stems from a command injection flaw (CWE-77) that lets an attacker run arbitrary commands on the host with the privileges of the editor. Reported by Microsoft with a vendor patch available, the CVSS 3.1 score of 8.4 reflects full compromise of confidentiality, integrity, and availability via a local attack vector requiring no privileges or user interaction. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Command Injection Visual Studio Code
NVD
CVSS 3.1
8.4
EPSS
0.6%
CVE-2026-45496 MEDIUM PATCH Exploit Unlikely This Month

Improper limitation of a pathname to a restricted directory ('path traversal') in Visual Studio Code allows an unauthorized attacker to bypass a security feature locally.

Path Traversal Visual Studio Code
NVD
CVSS 3.1
5.5
EPSS
0.5%
CVE-2026-47282 MEDIUM PATCH Exploit Unlikely This Month

Insufficiently protected credentials in GitHub Copilot and Visual Studio Code allows an unauthorized attacker to disclose information over a network.

Information Disclosure Visual Studio Code
NVD
CVSS 3.1
6.5
EPSS
0.6%
CVE-2026-48569 MEDIUM PATCH Exploit Unlikely This Month

Security feature bypass in Microsoft Visual Studio Code allows a local unauthenticated attacker to circumvent a built-in protection mechanism through improper input validation, requiring user interaction to trigger. With CVSS 7.1 and scope-changed impact (S:C) yielding high confidentiality exposure, the flaw lets a crafted input cross VS Code's trust boundary on the local host. There is no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.

Authentication Bypass Visual Studio Code
NVD VulDB
CVSS 3.1
5.5
EPSS
0.1%
CVE-2026-47292 HIGH PATCH Exploit Unlikely This Week

Local privilege elevation in Microsoft Visual Studio Code allows an unprivileged attacker to gain higher privileges on a host by tricking a user into triggering inclusion of functionality from an untrusted control sphere (CWE-94 code injection class). The flaw requires user interaction and local access per the CVSS vector (AV:L/UI:R), yielding full confidentiality, integrity, and availability impact at CVSS 7.8. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Code Injection RCE Visual Studio Code
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-47287 MEDIUM PATCH Exploit Unlikely This Month

Relative path traversal in Visual Studio Code versions prior to 1.123.1 enables unauthenticated remote attackers to tamper with files outside the intended directory boundary, producing a high integrity impact with no confidentiality or availability loss. The CVSS vector (AV:N/AC:L/PR:N/UI:R) indicates the attack requires no privileges and is low-complexity over a network, but depends on a victim interacting with attacker-controlled content. No public exploit code has been identified and this CVE is not listed in the CISA KEV catalog at time of analysis.

Path Traversal Visual Studio Code
NVD VulDB
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-47284 MEDIUM PATCH Exploit Unlikely This Month

Information disclosure in Visual Studio Code versions 1.0.0 through 1.123.0 allows an unauthenticated remote attacker to exfiltrate sensitive information over a network by inducing user interaction. The CVSS vector (AV:N/AC:L/PR:N/UI:R/C:H) indicates that while no authentication or elevated complexity is required on the attacker's side, the victim must perform some interaction to trigger the exposure - likely opening a malicious file, workspace, or following a crafted link within the IDE environment. No public exploit code or CISA KEV listing has been identified at time of analysis, but the high confidentiality impact and zero-privilege requirement make this a meaningful risk for developer workstations handling secrets, tokens, or source code.

Information Disclosure Visual Studio Code
NVD VulDB
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-47281 CRITICAL PATCH Act Now

Privilege escalation in Microsoft Visual Studio Code allows remote unauthenticated attackers to elevate privileges over a network when a victim performs a required interaction, due to improper input validation classified as missing authentication (CWE-306). The flaw carries a critical CVSS 9.6 score with scope change, meaning a successful attack impacts resources beyond the vulnerable component. No public exploit identified at time of analysis, but the user-interaction trigger combined with VS Code's massive developer install base makes this a notable supply-chain-adjacent risk.

Authentication Bypass Visual Studio Code
NVD VulDB
CVSS 3.1
9.6
EPSS
0.1%
CVE-2026-45482 HIGH PATCH Exploit Unlikely This Week

Security feature bypass via path traversal in GitHub Copilot and Visual Studio Code allows a local unauthorized attacker to escape a restricted directory and reach files or resources that should be inaccessible. The flaw is tracked under CWE-22 with a CVSS 3.1 base score of 8.4 (AV:L/AC:L/PR:N/UI:N) reflecting high confidentiality, integrity, and availability impact from local exploitation. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Path Traversal Visual Studio Code
NVD VulDB
CVSS 3.1
8.4
EPSS
0.1%
CVE-2026-40376 HIGH PATCH Exploit Unlikely This Week

Privilege escalation in Microsoft Visual Studio Code versions 1.0.0 through 1.119.0 allows remote unauthenticated attackers to elevate privileges over a network by exploiting improper input validation (CWE-20). Microsoft has released a patched build (1.119.1) and SSVC rates technical impact as total, though EPSS remains low at 0.09% with no public exploit identified at time of analysis.

Authentication Bypass Visual Studio Code
NVD VulDB
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-41611 HIGH PATCH Exploit Unlikely This Week

Improper neutralization of script-related html tags in a web page (basic xss) in Visual Studio Code allows an unauthorized attacker to execute code locally.

XSS Visual Studio Code
NVD VulDB
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-41610 MEDIUM PATCH Exploit Unlikely This Month

Improper neutralization of input during web page generation ('cross-site scripting') in Visual Studio Code allows an unauthorized attacker to bypass a security feature locally.

XSS Visual Studio Code
NVD VulDB
CVSS 3.1
6.3
EPSS
0.0%
CVE-2026-41109 HIGH PATCH Exploit Unlikely This Week

Improper neutralization of special elements in output used by a downstream component ('injection') in GitHub Copilot and Visual Studio allows an unauthorized attacker to bypass a security feature over a network.

Authentication Bypass Visual Studio Code
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-21523 HIGH PATCH This Week

Authenticated users can exploit a race condition in GitHub Copilot and Visual Studio Code to execute arbitrary code remotely by manipulating file state between verification and use. This vulnerability affects users with network access to these development tools and requires user interaction to trigger. No patch is currently available to address this high-severity flaw.

Github Race Condition AI / ML Visual Studio Code
NVD
CVSS 3.1
8.0
EPSS
0.0%
CVE-2026-21518 HIGH PATCH This Week

GitHub Copilot and Visual Studio Code are vulnerable to command injection attacks that allow unauthenticated attackers to bypass security features over the network through improper neutralization of special command elements. The vulnerability requires user interaction to exploit and could enable attackers to execute arbitrary commands with high impact on confidentiality, integrity, and availability. No patch is currently available for this issue.

Github Command Injection AI / ML Visual Studio Code
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2025-64660 HIGH This Month

Improper access control in GitHub Copilot and Visual Studio Code allows an authorized attacker to execute code over a network. Rated high severity (CVSS 8.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Visual Studio Code
NVD
CVSS 3.1
8.0
EPSS
0.1%
CVE-2025-62453 MEDIUM This Month

Improper validation of generative ai output in GitHub Copilot and Visual Studio Code allows an authorized attacker to bypass a security feature locally. Rated medium severity (CVSS 5.0), this vulnerability is low attack complexity. No vendor patch available.

Authentication Bypass Visual Studio Code
NVD
CVSS 3.1
5.0
EPSS
0.1%
CVE-2025-55319 HIGH This Month

Ai command injection in Agentic AI and Visual Studio Code allows an unauthorized attacker to execute code over a network. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Command Injection Visual Studio Code
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-21264 HIGH This Week

Files or directories accessible to external parties in Visual Studio Code allows an unauthorized attacker to bypass a security feature locally. Rated high severity (CVSS 7.1), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Path Traversal Visual Studio Code
NVD
CVSS 3.1
7.1
EPSS
1.2%
CVE-2025-32726 MEDIUM This Month

Improper access control in Visual Studio Code allows an authorized attacker to elevate privileges locally. Rated medium severity (CVSS 6.8), this vulnerability is low attack complexity. No vendor patch available.

Authentication Bypass Visual Studio Code
NVD
CVSS 3.1
6.8
EPSS
0.7%
CVE-2025-24042 HIGH This Week

Visual Studio Code JS Debug Extension Elevation of Privilege Vulnerability. Rated high severity (CVSS 7.3), this vulnerability is low attack complexity. No vendor patch available.

Authentication Bypass Visual Studio Code
NVD
CVSS 3.1
7.3
EPSS
0.1%
CVE-2025-24039 HIGH This Week

Visual Studio Code Elevation of Privilege Vulnerability. Rated high severity (CVSS 7.3), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Visual Studio Code
NVD
CVSS 3.1
7.3
EPSS
0.2%
CVE-2024-43601 HIGH PATCH This Week

Visual Studio Code for Linux Remote Code Execution Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. This Command Injection vulnerability could allow attackers to inject arbitrary commands into system command execution.

RCE Command Injection Visual Studio Code
NVD
CVSS 3.1
7.8
EPSS
1.0%
CVE-2024-43488 CRITICAL PATCH Act Now

Missing authentication for critical function in Visual Studio Code extension for Arduino allows an unauthenticated attacker to perform remote code execution through network attack vector. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Authentication Bypass RCE Visual Studio Code
NVD
CVSS 3.1
9.8
EPSS
1.1%
CVE-2024-26165 HIGH This Week

Visual Studio Code Elevation of Privilege Vulnerability. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Visual Studio Code
NVD
CVSS 3.1
8.8
EPSS
1.9%
CVE-2023-36742 HIGH PATCH This Week

Visual Studio Code Remote Code Execution Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity.

RCE Visual Studio Code
NVD
CVSS 3.1
7.8
EPSS
1.2%
CVE-2023-33144 MEDIUM PATCH This Month

Visual Studio Code Spoofing Vulnerability. Rated medium severity (CVSS 6.6), this vulnerability is low attack complexity.

Information Disclosure Visual Studio Code
NVD
CVSS 3.1
6.6
EPSS
1.3%
CVE-2023-29338 MEDIUM PATCH This Month

Visual Studio Code Spoofing Vulnerability. Rated medium severity (CVSS 6.6), this vulnerability is low attack complexity.

Authentication Bypass Visual Studio Code
NVD
CVSS 3.1
6.6
EPSS
0.9%
CVE-2023-24893 HIGH PATCH This Week

Visual Studio Code Remote Code Execution Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity.

RCE Visual Studio Code
NVD
CVSS 3.1
7.8
EPSS
1.1%
CVE-2023-21779 HIGH This Week

Visual Studio Code Remote Code Execution Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

RCE Deserialization Visual Studio Code
NVD
CVSS 3.1
7.8
EPSS
2.3%
CVE-2022-41042 HIGH PATCH This Week

Visual Studio Code Information Disclosure Vulnerability. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Visual Studio Code
NVD
CVSS 3.1
7.4
EPSS
1.9%
CVE-2022-41034 HIGH POC PATCH THREAT Act Now

Visual Studio Code Remote Code Execution Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity.

RCE Visual Studio Code
NVD GitHub
CVSS 3.1
7.8
EPSS
67.5%
CVE-2022-38020 HIGH This Week

Visual Studio Code Elevation of Privilege Vulnerability. Rated high severity (CVSS 7.3), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Visual Studio Code
NVD
CVSS 3.1
7.3
EPSS
0.9%
CVE-2022-30129 HIGH POC PATCH THREAT This Week

Visual Studio Code Remote Code Execution Vulnerability. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

RCE Visual Studio Code
NVD
CVSS 3.1
8.8
EPSS
41.7%
CVE-2022-26921 HIGH This Week

Visual Studio Code Elevation of Privilege Vulnerability. Rated high severity (CVSS 7.3), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Visual Studio Code
NVD
CVSS 3.1
7.3
EPSS
0.6%
CVE-2022-24526 MEDIUM This Month

Visual Studio Code Spoofing Vulnerability. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Visual Studio Code
NVD
CVSS 3.1
6.1
EPSS
1.6%
CVE-2021-43908 MEDIUM PATCH This Month

Visual Studio Code Spoofing Vulnerability. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Visual Studio Code
NVD
CVSS 3.1
4.3
EPSS
2.7%
CVE-2021-43891 HIGH PATCH This Week

Visual Studio Code Remote Code Execution Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity.

RCE Visual Studio Code
NVD
CVSS 3.1
7.8
EPSS
11.7%
CVE-2021-42322 HIGH PATCH This Week

Visual Studio Code Elevation of Privilege Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. This Improper Privilege Management vulnerability could allow attackers to escalate privileges to gain unauthorized elevated access.

Privilege Escalation Visual Studio Code
NVD
CVSS 3.1
7.8
EPSS
0.5%
CVE-2021-26437 MEDIUM PATCH This Month

Visual Studio Code Spoofing Vulnerability. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity.

Information Disclosure Visual Studio Code
NVD
CVSS 3.1
5.5
EPSS
2.1%
CVE-2021-34529 HIGH PATCH This Week

Visual Studio Code Remote Code Execution Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity.

RCE Visual Studio Code
NVD
CVSS 3.1
7.8
EPSS
3.9%
CVE-2021-34528 HIGH PATCH This Week

Visual Studio Code Remote Code Execution Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity.

RCE Visual Studio Code
NVD
CVSS 3.1
7.8
EPSS
2.9%
CVE-2021-34479 HIGH PATCH This Week

Microsoft Visual Studio Spoofing Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity.

Microsoft Information Disclosure Visual Studio Code
NVD
CVSS 3.1
7.8
EPSS
3.1%
CVE-2021-31214 HIGH PATCH This Week

Visual Studio Code Remote Code Execution Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity.

RCE Visual Studio Code
NVD
CVSS 3.1
7.8
EPSS
2.9%
CVE-2021-31211 HIGH PATCH This Week

Visual Studio Code Remote Code Execution Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity.

RCE Visual Studio Code
NVD
CVSS 3.1
7.8
EPSS
2.5%
CVE-2021-28477 HIGH PATCH This Week

Visual Studio Code Remote Code Execution Vulnerability. Rated high severity (CVSS 7.0), this vulnerability is no authentication required.

RCE Visual Studio Code
NVD
CVSS 3.1
7.0
EPSS
2.3%
CVE-2021-28475 HIGH PATCH This Week

Visual Studio Code Remote Code Execution Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity.

RCE Visual Studio Code
NVD
CVSS 3.1
7.8
EPSS
2.7%
CVE-2021-28473 HIGH PATCH This Week

Visual Studio Code Remote Code Execution Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity.

RCE Visual Studio Code
NVD
CVSS 3.1
7.8
EPSS
2.7%
CVE-2021-28471 HIGH PATCH This Week

Remote Development Extension for Visual Studio Code Remote Code Execution Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity.

RCE Visual Studio Code
NVD
CVSS 3.1
7.8
EPSS
4.1%
CVE-2021-28469 HIGH PATCH This Week

Visual Studio Code Remote Code Execution Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity.

RCE Visual Studio Code
NVD
CVSS 3.1
7.8
EPSS
2.7%
CVE-2021-28457 HIGH PATCH This Week

Visual Studio Code Remote Code Execution Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity.

RCE Visual Studio Code
NVD
CVSS 3.1
7.8
EPSS
2.7%
CVE-2021-27060 HIGH PATCH This Week

Visual Studio Code Remote Code Execution Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity.

RCE Visual Studio Code
NVD
CVSS 3.1
7.8
EPSS
2.9%
CVE-2021-1639 HIGH PATCH This Week

Visual Studio Code Remote Code Execution Vulnerability. Rated high severity (CVSS 7.0), this vulnerability is no authentication required.

RCE Visual Studio 2017 Visual Studio 2019 Visual Studio Code
NVD
CVSS 3.1
7.0
EPSS
2.0%
CVE-2020-17148 HIGH PATCH This Week

Visual Studio Code Remote Development Extension Remote Code Execution Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity.

RCE Visual Studio Code
NVD
CVSS 3.1
7.8
EPSS
3.6%
CVE-2020-17104 HIGH PATCH This Week

Visual Studio Code JSHint Extension Remote Code Execution Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity.

RCE Visual Studio Code
NVD
CVSS 3.1
7.8
EPSS
3.6%
CVE-2020-17023 HIGH PATCH This Week

<p>A remote code execution vulnerability exists in Visual Studio Code when a user is tricked into opening a malicious 'package.json' file. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity.

RCE Visual Studio Code
NVD
CVSS 3.1
7.8
EPSS
4.6%
CVE-2020-16977 HIGH PATCH This Week

<p>A remote code execution vulnerability exists in Visual Studio Code when the Python extension loads a Jupyter notebook file. Rated high severity (CVSS 7.0), this vulnerability is no authentication required.

RCE Python Visual Studio Code
NVD
CVSS 3.1
7.0
EPSS
3.4%
CVE-2020-16881 HIGH PATCH This Week

<p>A remote code execution vulnerability exists in Visual Studio Code when a user is tricked into opening a malicious 'package.json' file. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity.

RCE Visual Studio Code
NVD
CVSS 3.1
7.8
EPSS
5.4%
CVE-2020-0604 HIGH PATCH This Week

A remote code execution vulnerability exists in Visual Studio Code when it process environment variables after opening a project. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity.

RCE Visual Studio Code
NVD
CVSS 3.1
7.8
EPSS
3.6%
CVE-2020-1416 HIGH PATCH This Week

An elevation of privilege vulnerability exists in Visual Studio and Visual Studio Code when they load software dependencies, aka 'Visual Studio and Visual Studio Code Elevation of Privilege. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Improper Privilege Management vulnerability could allow attackers to escalate privileges to gain unauthorized elevated access.

Privilege Escalation Azure Storage Explorer TypeScript Visual Studio 2017 Visual Studio 2019 +1
NVD
CVSS 3.1
8.8
EPSS
5.9%
CVE-2019-0728 HIGH PATCH This Week

A remote code execution vulnerability exists in Visual Studio Code when it process environment variables after opening a project, aka 'Visual Studio Code Remote Code Execution Vulnerability'. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity.

RCE Visual Studio Code
NVD
CVSS 3.0
7.8
EPSS
27.7%
CVE-2018-0597 HIGH This Week

Untrusted search path vulnerability in the installer of Visual Studio Code allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Visual Studio Code
NVD
CVSS 3.0
7.8
EPSS
5.1%
EPSS 1% CVSS 8.8
HIGH PATCH This Week

Security-feature bypass in Microsoft Visual Studio Code lets a remote attacker deliver functionality from an untrusted control sphere (CWE-829) that circumvents a built-in protection, yielding high confidentiality, integrity, and availability impact once a victim opens or interacts with attacker-supplied content. Rated CVSS 8.8 (AV:N/AC:L/PR:N/UI:R), it requires user interaction but no authentication, and Microsoft has released a fix via MSRC. There is no public exploit identified at time of analysis and it is not on the CISA KEV list.

Authentication Bypass Visual Studio Code
NVD
EPSS 0% CVSS 7.1
HIGH PATCH Exploit Unlikely This Week

Cross-site scripting in Microsoft Visual Studio Code lets an attacker who tricks a local user into opening crafted content bypass a built-in security feature and gain high-impact code execution within the editor context. The flaw (CWE-79) carries a CVSS 3.1 base score of 7.1 with a local attack vector requiring user interaction, and Microsoft has published an advisory with a fix. There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.

XSS Visual Studio Code
NVD
EPSS 1% CVSS 8.4
HIGH PATCH Exploit Unlikely This Week

Local code execution in Microsoft Visual Studio Code stems from a command injection flaw (CWE-77) that lets an attacker run arbitrary commands on the host with the privileges of the editor. Reported by Microsoft with a vendor patch available, the CVSS 3.1 score of 8.4 reflects full compromise of confidentiality, integrity, and availability via a local attack vector requiring no privileges or user interaction. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Command Injection Visual Studio Code
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH Exploit Unlikely This Month

Improper limitation of a pathname to a restricted directory ('path traversal') in Visual Studio Code allows an unauthorized attacker to bypass a security feature locally.

Path Traversal Visual Studio Code
NVD
EPSS 1% CVSS 6.5
MEDIUM PATCH Exploit Unlikely This Month

Insufficiently protected credentials in GitHub Copilot and Visual Studio Code allows an unauthorized attacker to disclose information over a network.

Information Disclosure Visual Studio Code
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH Exploit Unlikely This Month

Security feature bypass in Microsoft Visual Studio Code allows a local unauthenticated attacker to circumvent a built-in protection mechanism through improper input validation, requiring user interaction to trigger. With CVSS 7.1 and scope-changed impact (S:C) yielding high confidentiality exposure, the flaw lets a crafted input cross VS Code's trust boundary on the local host. There is no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.

Authentication Bypass Visual Studio Code
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH Exploit Unlikely This Week

Local privilege elevation in Microsoft Visual Studio Code allows an unprivileged attacker to gain higher privileges on a host by tricking a user into triggering inclusion of functionality from an untrusted control sphere (CWE-94 code injection class). The flaw requires user interaction and local access per the CVSS vector (AV:L/UI:R), yielding full confidentiality, integrity, and availability impact at CVSS 7.8. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Code Injection RCE Visual Studio Code
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH Exploit Unlikely This Month

Relative path traversal in Visual Studio Code versions prior to 1.123.1 enables unauthenticated remote attackers to tamper with files outside the intended directory boundary, producing a high integrity impact with no confidentiality or availability loss. The CVSS vector (AV:N/AC:L/PR:N/UI:R) indicates the attack requires no privileges and is low-complexity over a network, but depends on a victim interacting with attacker-controlled content. No public exploit code has been identified and this CVE is not listed in the CISA KEV catalog at time of analysis.

Path Traversal Visual Studio Code
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH Exploit Unlikely This Month

Information disclosure in Visual Studio Code versions 1.0.0 through 1.123.0 allows an unauthenticated remote attacker to exfiltrate sensitive information over a network by inducing user interaction. The CVSS vector (AV:N/AC:L/PR:N/UI:R/C:H) indicates that while no authentication or elevated complexity is required on the attacker's side, the victim must perform some interaction to trigger the exposure - likely opening a malicious file, workspace, or following a crafted link within the IDE environment. No public exploit code or CISA KEV listing has been identified at time of analysis, but the high confidentiality impact and zero-privilege requirement make this a meaningful risk for developer workstations handling secrets, tokens, or source code.

Information Disclosure Visual Studio Code
NVD VulDB
EPSS 0% CVSS 9.6
CRITICAL PATCH Act Now

Privilege escalation in Microsoft Visual Studio Code allows remote unauthenticated attackers to elevate privileges over a network when a victim performs a required interaction, due to improper input validation classified as missing authentication (CWE-306). The flaw carries a critical CVSS 9.6 score with scope change, meaning a successful attack impacts resources beyond the vulnerable component. No public exploit identified at time of analysis, but the user-interaction trigger combined with VS Code's massive developer install base makes this a notable supply-chain-adjacent risk.

Authentication Bypass Visual Studio Code
NVD VulDB
EPSS 0% CVSS 8.4
HIGH PATCH Exploit Unlikely This Week

Security feature bypass via path traversal in GitHub Copilot and Visual Studio Code allows a local unauthorized attacker to escape a restricted directory and reach files or resources that should be inaccessible. The flaw is tracked under CWE-22 with a CVSS 3.1 base score of 8.4 (AV:L/AC:L/PR:N/UI:N) reflecting high confidentiality, integrity, and availability impact from local exploitation. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Path Traversal Visual Studio Code
NVD VulDB
EPSS 0% CVSS 8.1
HIGH PATCH Exploit Unlikely This Week

Privilege escalation in Microsoft Visual Studio Code versions 1.0.0 through 1.119.0 allows remote unauthenticated attackers to elevate privileges over a network by exploiting improper input validation (CWE-20). Microsoft has released a patched build (1.119.1) and SSVC rates technical impact as total, though EPSS remains low at 0.09% with no public exploit identified at time of analysis.

Authentication Bypass Visual Studio Code
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH Exploit Unlikely This Week

Improper neutralization of script-related html tags in a web page (basic xss) in Visual Studio Code allows an unauthorized attacker to execute code locally.

XSS Visual Studio Code
NVD VulDB
EPSS 0% CVSS 6.3
MEDIUM PATCH Exploit Unlikely This Month

Improper neutralization of input during web page generation ('cross-site scripting') in Visual Studio Code allows an unauthorized attacker to bypass a security feature locally.

XSS Visual Studio Code
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH Exploit Unlikely This Week

Improper neutralization of special elements in output used by a downstream component ('injection') in GitHub Copilot and Visual Studio allows an unauthorized attacker to bypass a security feature over a network.

Authentication Bypass Visual Studio Code
NVD VulDB
EPSS 0% CVSS 8.0
HIGH PATCH This Week

Authenticated users can exploit a race condition in GitHub Copilot and Visual Studio Code to execute arbitrary code remotely by manipulating file state between verification and use. This vulnerability affects users with network access to these development tools and requires user interaction to trigger. No patch is currently available to address this high-severity flaw.

Github Race Condition AI / ML +1
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

GitHub Copilot and Visual Studio Code are vulnerable to command injection attacks that allow unauthenticated attackers to bypass security features over the network through improper neutralization of special command elements. The vulnerability requires user interaction to exploit and could enable attackers to execute arbitrary commands with high impact on confidentiality, integrity, and availability. No patch is currently available for this issue.

Github Command Injection AI / ML +1
NVD
EPSS 0% CVSS 8.0
HIGH This Month

Improper access control in GitHub Copilot and Visual Studio Code allows an authorized attacker to execute code over a network. Rated high severity (CVSS 8.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Visual Studio Code
NVD
EPSS 0% CVSS 5.0
MEDIUM This Month

Improper validation of generative ai output in GitHub Copilot and Visual Studio Code allows an authorized attacker to bypass a security feature locally. Rated medium severity (CVSS 5.0), this vulnerability is low attack complexity. No vendor patch available.

Authentication Bypass Visual Studio Code
NVD
EPSS 0% CVSS 8.8
HIGH This Month

Ai command injection in Agentic AI and Visual Studio Code allows an unauthorized attacker to execute code over a network. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Command Injection Visual Studio Code
NVD
EPSS 1% CVSS 7.1
HIGH This Week

Files or directories accessible to external parties in Visual Studio Code allows an unauthorized attacker to bypass a security feature locally. Rated high severity (CVSS 7.1), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Path Traversal Visual Studio Code
NVD
EPSS 1% CVSS 6.8
MEDIUM This Month

Improper access control in Visual Studio Code allows an authorized attacker to elevate privileges locally. Rated medium severity (CVSS 6.8), this vulnerability is low attack complexity. No vendor patch available.

Authentication Bypass Visual Studio Code
NVD
EPSS 0% CVSS 7.3
HIGH This Week

Visual Studio Code JS Debug Extension Elevation of Privilege Vulnerability. Rated high severity (CVSS 7.3), this vulnerability is low attack complexity. No vendor patch available.

Authentication Bypass Visual Studio Code
NVD
EPSS 0% CVSS 7.3
HIGH This Week

Visual Studio Code Elevation of Privilege Vulnerability. Rated high severity (CVSS 7.3), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Visual Studio Code
NVD
EPSS 1% CVSS 7.8
HIGH PATCH This Week

Visual Studio Code for Linux Remote Code Execution Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. This Command Injection vulnerability could allow attackers to inject arbitrary commands into system command execution.

RCE Command Injection Visual Studio Code
NVD
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

Missing authentication for critical function in Visual Studio Code extension for Arduino allows an unauthenticated attacker to perform remote code execution through network attack vector. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Authentication Bypass RCE Visual Studio Code
NVD
EPSS 2% CVSS 8.8
HIGH This Week

Visual Studio Code Elevation of Privilege Vulnerability. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Visual Studio Code
NVD
EPSS 1% CVSS 7.8
HIGH PATCH This Week

Visual Studio Code Remote Code Execution Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity.

RCE Visual Studio Code
NVD
EPSS 1% CVSS 6.6
MEDIUM PATCH This Month

Visual Studio Code Spoofing Vulnerability. Rated medium severity (CVSS 6.6), this vulnerability is low attack complexity.

Information Disclosure Visual Studio Code
NVD
EPSS 1% CVSS 6.6
MEDIUM PATCH This Month

Visual Studio Code Spoofing Vulnerability. Rated medium severity (CVSS 6.6), this vulnerability is low attack complexity.

Authentication Bypass Visual Studio Code
NVD
EPSS 1% CVSS 7.8
HIGH PATCH This Week

Visual Studio Code Remote Code Execution Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity.

RCE Visual Studio Code
NVD
EPSS 2% CVSS 7.8
HIGH This Week

Visual Studio Code Remote Code Execution Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

RCE Deserialization Visual Studio Code
NVD
EPSS 2% CVSS 7.4
HIGH PATCH This Week

Visual Studio Code Information Disclosure Vulnerability. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Visual Studio Code
NVD
EPSS 67% CVSS 7.8
HIGH POC PATCH THREAT Act Now

Visual Studio Code Remote Code Execution Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity.

RCE Visual Studio Code
NVD GitHub
EPSS 1% CVSS 7.3
HIGH This Week

Visual Studio Code Elevation of Privilege Vulnerability. Rated high severity (CVSS 7.3), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Visual Studio Code
NVD
EPSS 42% CVSS 8.8
HIGH POC PATCH THREAT This Week

Visual Studio Code Remote Code Execution Vulnerability. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

RCE Visual Studio Code
NVD
EPSS 1% CVSS 7.3
HIGH This Week

Visual Studio Code Elevation of Privilege Vulnerability. Rated high severity (CVSS 7.3), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Visual Studio Code
NVD
EPSS 2% CVSS 6.1
MEDIUM This Month

Visual Studio Code Spoofing Vulnerability. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Visual Studio Code
NVD
EPSS 3% CVSS 4.3
MEDIUM PATCH This Month

Visual Studio Code Spoofing Vulnerability. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Visual Studio Code
NVD
EPSS 12% CVSS 7.8
HIGH PATCH This Week

Visual Studio Code Remote Code Execution Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity.

RCE Visual Studio Code
NVD
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Visual Studio Code Elevation of Privilege Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. This Improper Privilege Management vulnerability could allow attackers to escalate privileges to gain unauthorized elevated access.

Privilege Escalation Visual Studio Code
NVD
EPSS 2% CVSS 5.5
MEDIUM PATCH This Month

Visual Studio Code Spoofing Vulnerability. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity.

Information Disclosure Visual Studio Code
NVD
EPSS 4% CVSS 7.8
HIGH PATCH This Week

Visual Studio Code Remote Code Execution Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity.

RCE Visual Studio Code
NVD
EPSS 3% CVSS 7.8
HIGH PATCH This Week

Visual Studio Code Remote Code Execution Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity.

RCE Visual Studio Code
NVD
EPSS 3% CVSS 7.8
HIGH PATCH This Week

Microsoft Visual Studio Spoofing Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity.

Microsoft Information Disclosure Visual Studio Code
NVD
EPSS 3% CVSS 7.8
HIGH PATCH This Week

Visual Studio Code Remote Code Execution Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity.

RCE Visual Studio Code
NVD
EPSS 3% CVSS 7.8
HIGH PATCH This Week

Visual Studio Code Remote Code Execution Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity.

RCE Visual Studio Code
NVD
EPSS 2% CVSS 7.0
HIGH PATCH This Week

Visual Studio Code Remote Code Execution Vulnerability. Rated high severity (CVSS 7.0), this vulnerability is no authentication required.

RCE Visual Studio Code
NVD
EPSS 3% CVSS 7.8
HIGH PATCH This Week

Visual Studio Code Remote Code Execution Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity.

RCE Visual Studio Code
NVD
EPSS 3% CVSS 7.8
HIGH PATCH This Week

Visual Studio Code Remote Code Execution Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity.

RCE Visual Studio Code
NVD
EPSS 4% CVSS 7.8
HIGH PATCH This Week

Remote Development Extension for Visual Studio Code Remote Code Execution Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity.

RCE Visual Studio Code
NVD
EPSS 3% CVSS 7.8
HIGH PATCH This Week

Visual Studio Code Remote Code Execution Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity.

RCE Visual Studio Code
NVD
EPSS 3% CVSS 7.8
HIGH PATCH This Week

Visual Studio Code Remote Code Execution Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity.

RCE Visual Studio Code
NVD
EPSS 3% CVSS 7.8
HIGH PATCH This Week

Visual Studio Code Remote Code Execution Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity.

RCE Visual Studio Code
NVD
EPSS 2% CVSS 7.0
HIGH PATCH This Week

Visual Studio Code Remote Code Execution Vulnerability. Rated high severity (CVSS 7.0), this vulnerability is no authentication required.

RCE Visual Studio 2017 Visual Studio 2019 +1
NVD
EPSS 4% CVSS 7.8
HIGH PATCH This Week

Visual Studio Code Remote Development Extension Remote Code Execution Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity.

RCE Visual Studio Code
NVD
EPSS 4% CVSS 7.8
HIGH PATCH This Week

Visual Studio Code JSHint Extension Remote Code Execution Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity.

RCE Visual Studio Code
NVD
EPSS 5% CVSS 7.8
HIGH PATCH This Week

<p>A remote code execution vulnerability exists in Visual Studio Code when a user is tricked into opening a malicious 'package.json' file. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity.

RCE Visual Studio Code
NVD
EPSS 3% CVSS 7.0
HIGH PATCH This Week

<p>A remote code execution vulnerability exists in Visual Studio Code when the Python extension loads a Jupyter notebook file. Rated high severity (CVSS 7.0), this vulnerability is no authentication required.

RCE Python Visual Studio Code
NVD
EPSS 5% CVSS 7.8
HIGH PATCH This Week

<p>A remote code execution vulnerability exists in Visual Studio Code when a user is tricked into opening a malicious 'package.json' file. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity.

RCE Visual Studio Code
NVD
EPSS 4% CVSS 7.8
HIGH PATCH This Week

A remote code execution vulnerability exists in Visual Studio Code when it process environment variables after opening a project. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity.

RCE Visual Studio Code
NVD
EPSS 6% CVSS 8.8
HIGH PATCH This Week

An elevation of privilege vulnerability exists in Visual Studio and Visual Studio Code when they load software dependencies, aka 'Visual Studio and Visual Studio Code Elevation of Privilege. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Improper Privilege Management vulnerability could allow attackers to escalate privileges to gain unauthorized elevated access.

Privilege Escalation Azure Storage Explorer TypeScript +3
NVD
EPSS 28% CVSS 7.8
HIGH PATCH This Week

A remote code execution vulnerability exists in Visual Studio Code when it process environment variables after opening a project, aka 'Visual Studio Code Remote Code Execution Vulnerability'. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity.

RCE Visual Studio Code
NVD
EPSS 5% CVSS 7.8
HIGH This Week

Untrusted search path vulnerability in the installer of Visual Studio Code allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Visual Studio Code
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy