Microsoft Visual Studio Code vulnerabilities

CVE-2026-41613 [HIGH] CWE-78 CVE-2026-41613: Session fixation in Visual Studio Code allows an unauthorized attacker to elevate privileges over a Session fixation in Visual Studio Code allows an unauthorized attacker to elevate privileges over a network.

CVE-2026-41109 [HIGH] CWE-74 CVE-2026-41109: Improper neutralization of special elements in output used by a downstream component ('injection') i Improper neutralization of special elements in output used by a downstream component ('injection') in GitHub Copilot and Visual Studio allows an unauthorized attacker to bypass a security feature over a network.

CVE-2026-41610 [MEDIUM] CWE-59 CVE-2026-41610: Improper neutralization of input during web page generation ('cross-site scripting') in Visual Studi Improper neutralization of input during web page generation ('cross-site scripting') in Visual Studio Code allows an unauthorized attacker to bypass a security feature locally.

CVE-2026-41611 [LOW] CWE-77 CVE-2026-41611: Improper neutralization of script-related html tags in a web page (basic xss) in Visual Studio Code Improper neutralization of script-related html tags in a web page (basic xss) in Visual Studio Code allows an unauthorized attacker to execute code locally.

CVE-2026-21518 [HIGH] CWE-77 CVE-2026-21518: Improper neutralization of special elements used in a command ('command injection') in GitHub Copilo Improper neutralization of special elements used in a command ('command injection') in GitHub Copilot and Visual Studio Code allows an unauthorized attacker to bypass a security feature over a network.

CVE-2026-21523 [HIGH] CWE-367 CVE-2026-21523: Time-of-check time-of-use (toctou) race condition in GitHub Copilot and Visual Studio allows an auth Time-of-check time-of-use (toctou) race condition in GitHub Copilot and Visual Studio allows an authorized attacker to execute code over a network.

CVE-2025-64660 [HIGH] CWE-284 CVE-2025-64660: Improper access control in GitHub Copilot and Visual Studio Code allows an authorized attacker to ex Improper access control in GitHub Copilot and Visual Studio Code allows an authorized attacker to execute code over a network.

CVE-2025-62453 [MEDIUM] CWE-693 CVE-2025-62453: Improper validation of generative ai output in GitHub Copilot and Visual Studio Code allows an autho Improper validation of generative ai output in GitHub Copilot and Visual Studio Code allows an authorized attacker to bypass a security feature locally.

CVE-2025-55319 [CRITICAL] CWE-77 CVE-2025-55319: Ai command injection in Agentic AI and Visual Studio Code allows an unauthorized attacker to execute Ai command injection in Agentic AI and Visual Studio Code allows an unauthorized attacker to execute code over a network.

CVE-2025-21264 [HIGH] CWE-552 CVE-2025-21264: Files or directories accessible to external parties in Visual Studio Code allows an unauthorized att Files or directories accessible to external parties in Visual Studio Code allows an unauthorized attacker to bypass a security feature locally.

CVE-2025-32726 [MEDIUM] CWE-284 CVE-2025-32726: Improper access control in Visual Studio Code allows an authorized attacker to elevate privileges lo Improper access control in Visual Studio Code allows an authorized attacker to elevate privileges locally.

CVE-2025-26631 [HIGH] CWE-427 CVE-2025-26631: Uncontrolled search path element in Visual Studio Code allows an authorized attacker to elevate priv Uncontrolled search path element in Visual Studio Code allows an authorized attacker to elevate privileges locally.

CVE-2025-24039 [HIGH] CWE-427 CVE-2025-24039: Visual Studio Code Elevation of Privilege Vulnerability Visual Studio Code Elevation of Privilege Vulnerability

CVE-2025-24042 [HIGH] CWE-284 CVE-2025-24042: Visual Studio Code JS Debug Extension Elevation of Privilege Vulnerability Visual Studio Code JS Debug Extension Elevation of Privilege Vulnerability

CVE-2024-43488 [CRITICAL] CWE-306 CVE-2024-43488: Missing authentication for critical function in Visual Studio Code extension for Arduino allows an u Missing authentication for critical function in Visual Studio Code extension for Arduino allows an unauthenticated attacker to perform remote code execution through network attack vector.

CVE-2024-43601 [HIGH] CWE-77 CVE-2024-43601: Visual Studio Code for Linux Remote Code Execution Vulnerability Visual Studio Code for Linux Remote Code Execution Vulnerability

CVE-2024-26165 [HIGH] CWE-256 CVE-2024-26165: Visual Studio Code Elevation of Privilege Vulnerability Visual Studio Code Elevation of Privilege Vulnerability

CVE-2023-36742 [HIGH] CVE-2023-36742: Visual Studio Code Remote Code Execution Vulnerability Visual Studio Code Remote Code Execution Vulnerability

CVE-2023-33144 [MEDIUM] CWE-23 Visual Studio Code Spoofing Vulnerability Visual Studio Code Spoofing Vulnerability Visual Studio Code Spoofing Vulnerability

CVE-2023-29338 [MEDIUM] CWE-285 Visual Studio Code Spoofing Vulnerability Visual Studio Code Spoofing Vulnerability Visual Studio Code Spoofing Vulnerability