Msrc Microsoft Visual Studio 2022 Version 17.14 vulnerabilities

CVE-2026-21257 [HIGH] CWE-77 GitHub Copilot and Visual Studio Elevation of Privilege Vulnerability GitHub Copilot and Visual Studio Elevation of Privilege Vulnerability Description: Improper neutralization of special elements used in a command ('command injection') in GitHub Copilot and Visual Studio allows an authorized attacker to elevate privileges over a network. FAQ: What privileges could be gained by an attacker who successfully exploited the vulnerability? The attacker would gain the ri

CVE-2026-21256 [HIGH] CWE-77 GitHub Copilot and Visual Studio Remote Code Execution Vulnerability GitHub Copilot and Visual Studio Remote Code Execution Vulnerability Description: Improper neutralization of special elements used in a command ('command injection') in GitHub Copilot and Visual Studio allows an unauthorized attacker to execute code over a network. FAQ: How could an attacker exploit this vulnerability? The AV:N rating indicates the vulnerability is exploitable over the network, me

CVE-2025-62214 [MEDIUM] CWE-77 Visual Studio Remote Code Execution Vulnerability Visual Studio Remote Code Execution Vulnerability Description: Improper neutralization of special elements used in a command ('command injection') in Visual Studio allows an authorized attacker to execute code locally. FAQ: According to the CVSS metric, the attack complexity is high (AC:H). What does this mean for this vulnerability? Exploitation is not trivial for this vulnerability as it requires multiple steps:

CVE-2025-55315 [CRITICAL] CWE-444 ASP.NET Security Feature Bypass Vulnerability ASP.NET Security Feature Bypass Vulnerability Description: Inconsistent interpretation of http requests ('http request/response smuggling') in ASP.NET Core allows an authorized attacker to bypass a security feature over a network. FAQ: How could an attacker exploit the vulnerability? An authenticated attacker could exploit the vulnerability by sending a malicious http request to the web server. FAQ: According to t

CVE-2025-55240 [HIGH] CWE-284 Visual Studio Elevation of Privilege Vulnerability Visual Studio Elevation of Privilege Vulnerability Description: Improper access control in Visual Studio allows an authorized attacker to elevate privileges locally. FAQ: According to the CVSS metric, user interaction is required (UI:R) and privileges required is Low (PR:L). What does that mean for this vulnerability? An authenticated attacker could place a malicious file on the path to the project directory and t

CVE-2025-55248 [MEDIUM] CWE-326 .NET, .NET Framework, and Visual Studio Information Disclosure Vulnerability .NET, .NET Framework, and Visual Studio Information Disclosure Vulnerability Description: Inadequate encryption strength in .NET, .NET Framework, Visual Studio allows an authorized attacker to disclose information over a network. FAQ: What type of information could be disclosed by this vulnerability? The type of information that could be disclosed if an attacker successfully exploited t

CVE-2025-54132 [MEDIUM] CWE-77 GitHub CVE-2025-54132: Arbitrary Image Fetch in Mermaid Diagram Tool GitHub CVE-2025-54132: Arbitrary Image Fetch in Mermaid Diagram Tool Description: Cursor is a code editor built for programming with AI. In versions below 1.3, Mermaid (which is used to render diagrams) allows embedding images which then get rendered by Cursor in the chat box. An attacker can use this to exfiltrate sensitive information to a third-party attacker controlled server through an image

CVE-2025-53773 [HIGH] CWE-77 GitHub Copilot and Visual Studio Remote Code Execution Vulnerability GitHub Copilot and Visual Studio Remote Code Execution Vulnerability Description: Improper neutralization of special elements used in a command ('command injection') in GitHub Copilot and Visual Studio allows an unauthorized attacker to execute code locally. FAQ: According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? Exploitation of this vuln

CVE-2025-49739 [HIGH] CWE-59 Visual Studio Elevation of Privilege Vulnerability Visual Studio Elevation of Privilege Vulnerability Description: Improper link resolution before file access ('link following') in Visual Studio allows an unauthorized attacker to elevate privileges over a network. FAQ: What privileges could be gained by an attacker who successfully exploited this vulnerability? An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. Visual Studio: V

CVE-2025-46334 [HIGH] GitHub: CVE-2025-46334 Git Malicious Shell Vulnerability GitHub: CVE-2025-46334 Git Malicious Shell Vulnerability Description: CVE-2025-46334 is regarding a vulnerability in Git GUI (Windows only) where a malicious repository can ship versions of sh.exe or typical textconv filter programs such as astextplain. On Windows, path lookup can find such executables in the worktree. These programs are invoked when the user selects "Git Bash" or "Browse Files" from the menu. GitHub

CVE-2025-27614 [HIGH] GitHub: CVE-2025-27614 Gitk Arbitrary Code Execution Vulnerability GitHub: CVE-2025-27614 Gitk Arbitrary Code Execution Vulnerability Description: CVE-2025-27614 is regarding a vulnerability in Gitk where a Git repository can be crafted in such a way that a user who has cloned the repository can be tricked into running any script supplied by the attacker by invoking gitk filename, where filename has a particular structure. GitHub created this CVE on their behalf. The docum

CVE-2025-48384 [HIGH] GitHub: CVE-2025-48384 Git Symlink Vulnerability GitHub: CVE-2025-48384 Git Symlink Vulnerability Description: CVE-2025-48384 is regarding a vulnerability in Git where when reading a config value, Git strips any trailing carriage return and line feed (CRLF). When writing a config entry, values with a trailing CR are not quoted, causing the CR to be lost when the config is later read. When initializing a submodule, if the submodule path contains a trailing CR, the altered p

CVE-2025-46835 [HIGH] GitHub: CVE-2025-46835 Git File Overwrite Vulnerability GitHub: CVE-2025-46835 Git File Overwrite Vulnerability Description: CVE-2025-46835 is regarding a vulnerability in Git GUI where when a user clones an untrusted repository and is tricked into editing a file located in a maliciously named directory in the repository, then Git GUI can create and overwrite any writable file. GitHub created this CVE on their behalf. The documented Visual Studio updates incorporate update

CVE-2025-48385 [HIGH] GitHub: CVE-2025-48385 Git Protocol Injection Vulnerability GitHub: CVE-2025-48385 Git Protocol Injection Vulnerability Description: CVE-2025-48385 is regarding a vulnerability in Git where when cloning a repository Git knows to optionally fetch a bundle advertised by the remote server, which allows the server-side to offload parts of the clone to a CDN. The Git client does not perform sufficient validation of the advertised bundles, which allows the remote side to perform

CVE-2025-48386 [MEDIUM] GitHub: CVE-2025-48386 Git Credential Helper Vulnerability GitHub: CVE-2025-48386 Git Credential Helper Vulnerability Description: CVE-2025-48386 is regarding a vulnerability in Git where the wincred credential helper uses a static buffer (target) as a unique key for storing and comparing against internal storage. This credential helper does not properly bounds check the available space remaining in the buffer before appending to it with wcsncat(), leading to potential b

CVE-2025-27613 [LOW] GitHub: CVE-2025-27613 Gitk Arguments Vulnerability GitHub: CVE-2025-27613 Gitk Arguments Vulnerability Description: CVE-2025-27613 is regarding a vulnerability in Gitk where when a user clones an untrusted repository and runs Gitk without additional command arguments, any writable file can be created and truncated. The option "Support per-file encoding" must have been enabled. The operation "Show origin of this line" is affected as well, regardless of the option being enab

CVE-2025-47959 [HIGH] CWE-77 Visual Studio Remote Code Execution Vulnerability Visual Studio Remote Code Execution Vulnerability Description: Improper neutralization of special elements used in a command ('command injection') in Visual Studio allows an authorized attacker to execute code over a network. FAQ: According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability? Successful exploitation of this vulnerability requires that the target syste

CVE-2025-30399 [HIGH] CWE-426 .NET and Visual Studio Remote Code Execution Vulnerability .NET and Visual Studio Remote Code Execution Vulnerability Description: Untrusted search path in .NET and Visual Studio allows an unauthorized attacker to execute code over a network. FAQ: According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability? This attack requires a victim to perform a specific action, such as copying files or executing a command, an