Msrc Visual Studio Code vulnerabilities

CVE-2026-21523 [HIGH] CWE-367 GitHub Copilot and Visual Studio Code Remote Code Execution Vulnerability GitHub Copilot and Visual Studio Code Remote Code Execution Vulnerability Description: Time-of-check time-of-use (toctou) race condition in GitHub Copilot and Visual Studio allows an authorized attacker to execute code over a network. FAQ: How could an attacker exploit this vulnerability? The AV:N rating indicates the vulnerability is exploitable over the network, meaning an attacker can del

CVE-2026-21518 [HIGH] CWE-77 GitHub Copilot and Visual Studio Code Security Feature Bypass Vulnerability GitHub Copilot and Visual Studio Code Security Feature Bypass Vulnerability Description: Improper neutralization of special elements used in a command ('command injection') in GitHub Copilot and Visual Studio Code allows an unauthorized attacker to bypass a security feature over a network. FAQ: What kind of security feature could be bypassed by successfully exploiting this vulnerability? Th

CVE-2025-64660 [HIGH] CWE-284 GitHub Copilot and Visual Studio Code Remote Code Execution Vulnerability GitHub Copilot and Visual Studio Code Remote Code Execution Vulnerability Description: Improper access control in GitHub Copilot and Visual Studio Code allows an authorized attacker to execute code over a network. FAQ: According to the CVSS metric, privileges are required (PR:L) and user interaction is required (UI:R). How could an attacker exploit this remote code execution vulnerability? A

CVE-2025-62453 [MEDIUM] CWE-1426 GitHub Copilot and Visual Studio Code Security Feature Bypass Vulnerability GitHub Copilot and Visual Studio Code Security Feature Bypass Vulnerability Description: Improper validation of generative ai output in GitHub Copilot and Visual Studio Code allows an authorized attacker to bypass a security feature locally. FAQ: What kind of security feature could be bypassed by successfully exploiting this vulnerability? An attacker who successfully exploited this vul

CVE-2025-55319 [HIGH] CWE-77 Agentic AI and Visual Studio Code Remote Code Execution Vulnerability Agentic AI and Visual Studio Code Remote Code Execution Vulnerability Description: Ai command injection in Agentic AI and Visual Studio Code allows an unauthorized attacker to execute code over a network. Agentic AI and Visual Studio Code: Agentic AI and Visual Studio Code Microsoft: Microsoft Customer Action Required: Yes Impact: Remote Code Execution Exploit Status: Publicly Disclosed:No;Ex

CVE-2025-21264 [HIGH] CWE-552 Visual Studio Code Security Feature Bypass Vulnerability Visual Studio Code Security Feature Bypass Vulnerability Description: Files or directories accessible to external parties in Visual Studio Code allows an unauthorized attacker to bypass a security feature locally. FAQ: According to the CVSS metrics, successful exploitation of this vulnerability could lead to major loss of confidentiality (C:H), and some loss of integrity (I:L), but no loss of availability (A

CVE-2025-32726 [MEDIUM] CWE-284 Visual Studio Code Elevation of Privilege Vulnerability Visual Studio Code Elevation of Privilege Vulnerability Description: Improper access control in Visual Studio Code allows an authorized attacker to elevate privileges locally. FAQ: What privileges could be gained by an attacker who successfully exploited the vulnerability? An attacker who successfully exploited this vulnerability could execute code in the context of another Visual Studio Code user on the vu

CVE-2025-26631 [HIGH] CWE-427 Visual Studio Code Elevation of Privilege Vulnerability Visual Studio Code Elevation of Privilege Vulnerability Description: Uncontrolled search path element in Visual Studio Code allows an authorized attacker to elevate privileges locally. FAQ: What privileges could be gained by an attacker who successfully exploited this vulnerability? An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. FAQ: According to the CVSS metric, user

CVE-2025-24039 [HIGH] CWE-427 Visual Studio Code Elevation of Privilege Vulnerability Visual Studio Code Elevation of Privilege Vulnerability FAQ: What privileges could be gained by an attacker who successfully exploited the vulnerability? The attacker would gain the rights of the user that is running the affected application. FAQ: According to the CVSS metric, user interaction is required (UI:R) and privileges required is low (PR:L). What does that mean for this vulnerability? An authorized a

CVE-2024-43488 [HIGH] CWE-306 Visual Studio Code extension for Arduino Remote Code Execution Vulnerability Visual Studio Code extension for Arduino Remote Code Execution Vulnerability Description: Missing authentication for critical function in Visual Studio Code extension for Arduino allows an unauthenticated attacker to perform remote code execution through network attack vector. FAQ: Why are there no links to an update or instructions with steps that must be taken to protect from this vulne

CVE-2024-26165 [HIGH] CWE-256 Visual Studio Code Elevation of Privilege Vulnerability Visual Studio Code Elevation of Privilege Vulnerability Visual Studio Code: Visual Studio Code Microsoft: Microsoft Customer Action Required: Yes Impact: Elevation of Privilege Exploit Status: Publicly Disclosed:No;Exploited:No;Latest Software Release:Exploitation Less Likely;DOS:N/A Remediation: Release Notes Reference: https://code.visualstudio.com/ Reference: https://code.visualstudio.com/updates/v1_

CVE-2023-39956 [MEDIUM] Electron: CVE-2023-39956 -Visual Studio Code Remote Code Execution Vulnerability Electron: CVE-2023-39956 -Visual Studio Code Remote Code Execution Vulnerability FAQ: Why is this Electron CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Electron software which is consumed by Visual Studio Code. It is being documented in the Security Update Guide to announce that the latest build of Visual Studio Code is no longer vulnerable. Please

CVE-2023-36742 [HIGH] Visual Studio Code Remote Code Execution Vulnerability Visual Studio Code Remote Code Execution Vulnerability FAQ: According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution? The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. This means an attacker or victim ne

CVE-2023-33144 [MEDIUM] CWE-23 Visual Studio Code Spoofing Vulnerability Visual Studio Code Spoofing Vulnerability FAQ: According to the CVSS metric, user interaction is required (UI:R) and privileges required is low (PR:L). What does that mean for this vulnerability? An authenticated attacker would have to send the victim a malicious file that the victim would have to open with Visual Studio Code. Visual Studio Code: Visual Studio Code Microsoft: Microsoft Customer Action Required: Yes Imp

CVE-2023-29338 [MEDIUM] CWE-285 Visual Studio Code Spoofing Vulnerability Visual Studio Code Spoofing Vulnerability FAQ: According to the CVSS metric, user interaction is required (UI:R) and privileges required is low (PR:L). What does that mean for this vulnerability? An authorized attacker must send the user a malicious file and convince the user to open it. Visual Studio Code: Visual Studio Code Microsoft: Microsoft Customer Action Required: Yes Impact: Spoofing Exploit Status: Publicly

CVE-2023-24893 [HIGH] CWE-20 Visual Studio Code Remote Code Execution Vulnerability Visual Studio Code Remote Code Execution Vulnerability FAQ: According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution? The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. For example, when the score

CVE-2023-21779 [HIGH] CWE-502 Visual Studio Code Remote Code Execution Vulnerability Visual Studio Code Remote Code Execution Vulnerability FAQ: According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution? The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. For example, when the score

CVE-2022-41034 [HIGH] Visual Studio Code Remote Code Execution Vulnerability Visual Studio Code Remote Code Execution Vulnerability FAQ: According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution? The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. For example, when the score indicat

CVE-2022-41042 [HIGH] Visual Studio Code Information Disclosure Vulnerability Visual Studio Code Information Disclosure Vulnerability FAQ: According to the CVSS metric, a successful exploitation could lead to a scope change (S:C). What does this mean for this vulnerability? In this case, a successful attack can break out of the Visual Studio Code Workspace Trust feature. See Workspace Trust for more information. FAQ: According to the CVSS metric, user interaction is required (UI:R). What inter

CVE-2022-38020 [HIGH] Visual Studio Code Elevation of Privilege Vulnerability Visual Studio Code Elevation of Privilege Vulnerability FAQ: According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? The user would have be enticed to open a malicious file in a directory. Users should never open anything that they do not know or trust to be safe. FAQ: What privileges could be gained by an attacker who successfully exploited the vulnerability? An