CVE-2025-26646

CWE-73 CWE-290 CWE-770 — Allocation without Limits9 documents7 sources

Severity

8.0HIGH

EPSS

0.2%

top 53.49%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Microsoft .net 8.0 Microsoft .net 9.0 Microsoft Build Tools FOR Visual Studio 2022 +7 more

Timeline

PublishedMay 13

Latest updateMay 16

Description

External control of file name or path in .NET, Visual Studio, and Build Tools for Visual Studio allows an authorized attacker to perform spoofing over a network.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:HExploitability: 2.1 | Impact: 5.9

Affected Packages13 packages

▶CVEListV5microsoft/build_tools_for_visual_studio_202217.0 — Fixed Version 17.13.7

▶NVDmicrosoft/visual_studio_202217.8.0 — 17.8.21+3

▶CVEListV5microsoft/microsoft_visual_studio_2022_version_17.817.8.0 — 17.8.21

▶CVEListV5microsoft/microsoft_visual_studio_2022_version_17.1017.10.0 — 17.10.15

▶CVEListV5microsoft/microsoft_visual_studio_2022_version_17.1217.12.0 — 17.12.8

🔴Vulnerability Details

GHSA

Microsoft.Build.Tasks.Core .NET Spoofing Vulnerability↗2025-05-13

▶

OSV

Microsoft.Build.Tasks.Core .NET Spoofing Vulnerability↗2025-05-13

▶

CVEList

.NET, Visual Studio, and Build Tools for Visual Studio Spoofing Vulnerability↗2025-05-13

▶

OSV

CVE-2025-26646: External control of file name or path in↗2025-05-13

▶

📋Vendor Advisories

Ubuntu

.NET vulnerability↗2025-05-16

▶

Red Hat

dotnet: .NET and Visual Studio Spoofing Vulnerability↗2025-05-14

▶

Microsoft

.NET, Visual Studio, and Build Tools for Visual Studio Spoofing Vulnerability↗2025-05-13

▶

Microsoft

thermal: intel: hfi: Add syscore callbacks for system-wide PM↗2024-03-12

▶