Vulnerability-Lookup

WID-SEC-W-2026-1845

Vulnerability from csaf_certbund - Published: 2026-06-09 22:00 - Updated: 2026-06-09 22:00

Summary

Microsoft DeveloperTools: Mehrere Schwachstellen

Severity

Hoch

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung: Visual Studio Code ist ein Quelltext-Editor von Microsoft. Microsoft ASP.NET (Active Server Pages .NET) ist eine Technologie zum Erstellen dynamischer Webseiten, Webanwendungen und Webservices auf Basis des Microsoft .NET-Frameworks. Microsoft .NET ist ein Software-Framework für die Entwicklung und Ausführung von Anwendungen. Microsoft Visual Studio ist eine integrierte Entwicklungsumgebung (IDE) von Microsoft, die zum Erstellen von Anwendungen für verschiedene Plattformen verwendet wird.

Angriff: Ein Angreifer kann mehrere Schwachstellen in Microsoft Visual Studio Code, Microsoft ASP.NET, Microsoft .NET und Microsoft Visual Studio 2026 ausnutzen, um Administratorrechte zu erlangen, Daten zu manipulieren, vertrauliche Informationen offenzulegen oder die Authentifizierung zu umgehen.

Betroffene Betriebssysteme: - Linux - MacOS X - Windows

CVE-2026-40376

Affected products

Known affected 10 products

Product	Identifier	Version
Microsoft Visual Studio Code Microsoft / Visual Studio Code	`cpe:/a:microsoft:visual_studio_code:-`	—
Microsoft Visual Studio Code CoPilot Chat Extension Microsoft / Visual Studio Code	`cpe:/a:microsoft:visual_studio_code:copilot_chat_extension`	CoPilot Chat Extension
Microsoft ASP.NET Core 9.0 Microsoft / ASP.NET	`cpe:/a:microsoft:asp.net:core_9.0`	Core 9.0
Microsoft .NET 10.0 Microsoft / .NET	`cpe:/a:microsoft:.net:10.0`	10
Microsoft .NET 9.0 Microsoft / .NET	`cpe:/a:microsoft:.net:9.0`	9
Microsoft Visual Studio 2026 version 18.6 Microsoft / Visual Studio 2026		version 18.6
Microsoft Visual Studio Code - MSSQL Extension Microsoft / Visual Studio Code	`cpe:/a:microsoft:visual_studio_code:-_mssql_extension`	- MSSQL Extension
Microsoft ASP.NET Core 10.0 Microsoft / ASP.NET	`cpe:/a:microsoft:asp.net:core_10.0`	Core 10.0
Microsoft .NET 8.0 Microsoft / .NET	`cpe:/a:microsoft:.net:8.0`	8
Microsoft ASP.NET Core 8.0 Microsoft / ASP.NET	`cpe:/a:microsoft:asp.net:core_8.0`	Core 8.0

CVE-2026-45482

Affected products

Known affected 10 products

Product	Identifier	Version
Microsoft Visual Studio Code Microsoft / Visual Studio Code	`cpe:/a:microsoft:visual_studio_code:-`	—
Microsoft Visual Studio Code CoPilot Chat Extension Microsoft / Visual Studio Code	`cpe:/a:microsoft:visual_studio_code:copilot_chat_extension`	CoPilot Chat Extension
Microsoft ASP.NET Core 9.0 Microsoft / ASP.NET	`cpe:/a:microsoft:asp.net:core_9.0`	Core 9.0
Microsoft .NET 10.0 Microsoft / .NET	`cpe:/a:microsoft:.net:10.0`	10
Microsoft .NET 9.0 Microsoft / .NET	`cpe:/a:microsoft:.net:9.0`	9
Microsoft Visual Studio 2026 version 18.6 Microsoft / Visual Studio 2026		version 18.6
Microsoft Visual Studio Code - MSSQL Extension Microsoft / Visual Studio Code	`cpe:/a:microsoft:visual_studio_code:-_mssql_extension`	- MSSQL Extension
Microsoft ASP.NET Core 10.0 Microsoft / ASP.NET	`cpe:/a:microsoft:asp.net:core_10.0`	Core 10.0
Microsoft .NET 8.0 Microsoft / .NET	`cpe:/a:microsoft:.net:8.0`	8
Microsoft ASP.NET Core 8.0 Microsoft / ASP.NET	`cpe:/a:microsoft:asp.net:core_8.0`	Core 8.0

CVE-2026-45490

Affected products

Known affected 10 products

Product	Identifier	Version
Microsoft Visual Studio Code Microsoft / Visual Studio Code	`cpe:/a:microsoft:visual_studio_code:-`	—
Microsoft Visual Studio Code CoPilot Chat Extension Microsoft / Visual Studio Code	`cpe:/a:microsoft:visual_studio_code:copilot_chat_extension`	CoPilot Chat Extension
Microsoft ASP.NET Core 9.0 Microsoft / ASP.NET	`cpe:/a:microsoft:asp.net:core_9.0`	Core 9.0
Microsoft .NET 10.0 Microsoft / .NET	`cpe:/a:microsoft:.net:10.0`	10
Microsoft .NET 9.0 Microsoft / .NET	`cpe:/a:microsoft:.net:9.0`	9
Microsoft Visual Studio 2026 version 18.6 Microsoft / Visual Studio 2026		version 18.6
Microsoft Visual Studio Code - MSSQL Extension Microsoft / Visual Studio Code	`cpe:/a:microsoft:visual_studio_code:-_mssql_extension`	- MSSQL Extension
Microsoft ASP.NET Core 10.0 Microsoft / ASP.NET	`cpe:/a:microsoft:asp.net:core_10.0`	Core 10.0
Microsoft .NET 8.0 Microsoft / .NET	`cpe:/a:microsoft:.net:8.0`	8
Microsoft ASP.NET Core 8.0 Microsoft / ASP.NET	`cpe:/a:microsoft:asp.net:core_8.0`	Core 8.0

CVE-2026-45491

Affected products

Known affected 10 products

Product	Identifier	Version
Microsoft Visual Studio Code Microsoft / Visual Studio Code	`cpe:/a:microsoft:visual_studio_code:-`	—
Microsoft Visual Studio Code CoPilot Chat Extension Microsoft / Visual Studio Code	`cpe:/a:microsoft:visual_studio_code:copilot_chat_extension`	CoPilot Chat Extension
Microsoft ASP.NET Core 9.0 Microsoft / ASP.NET	`cpe:/a:microsoft:asp.net:core_9.0`	Core 9.0
Microsoft .NET 10.0 Microsoft / .NET	`cpe:/a:microsoft:.net:10.0`	10
Microsoft .NET 9.0 Microsoft / .NET	`cpe:/a:microsoft:.net:9.0`	9
Microsoft Visual Studio 2026 version 18.6 Microsoft / Visual Studio 2026		version 18.6
Microsoft Visual Studio Code - MSSQL Extension Microsoft / Visual Studio Code	`cpe:/a:microsoft:visual_studio_code:-_mssql_extension`	- MSSQL Extension
Microsoft ASP.NET Core 10.0 Microsoft / ASP.NET	`cpe:/a:microsoft:asp.net:core_10.0`	Core 10.0
Microsoft .NET 8.0 Microsoft / .NET	`cpe:/a:microsoft:.net:8.0`	8
Microsoft ASP.NET Core 8.0 Microsoft / ASP.NET	`cpe:/a:microsoft:asp.net:core_8.0`	Core 8.0

CVE-2026-45591

Affected products

Known affected 10 products

Product	Identifier	Version
Microsoft Visual Studio Code Microsoft / Visual Studio Code	`cpe:/a:microsoft:visual_studio_code:-`	—
Microsoft Visual Studio Code CoPilot Chat Extension Microsoft / Visual Studio Code	`cpe:/a:microsoft:visual_studio_code:copilot_chat_extension`	CoPilot Chat Extension
Microsoft ASP.NET Core 9.0 Microsoft / ASP.NET	`cpe:/a:microsoft:asp.net:core_9.0`	Core 9.0
Microsoft .NET 10.0 Microsoft / .NET	`cpe:/a:microsoft:.net:10.0`	10
Microsoft .NET 9.0 Microsoft / .NET	`cpe:/a:microsoft:.net:9.0`	9
Microsoft Visual Studio 2026 version 18.6 Microsoft / Visual Studio 2026		version 18.6
Microsoft Visual Studio Code - MSSQL Extension Microsoft / Visual Studio Code	`cpe:/a:microsoft:visual_studio_code:-_mssql_extension`	- MSSQL Extension
Microsoft ASP.NET Core 10.0 Microsoft / ASP.NET	`cpe:/a:microsoft:asp.net:core_10.0`	Core 10.0
Microsoft .NET 8.0 Microsoft / .NET	`cpe:/a:microsoft:.net:8.0`	8
Microsoft ASP.NET Core 8.0 Microsoft / ASP.NET	`cpe:/a:microsoft:asp.net:core_8.0`	Core 8.0

CVE-2026-45644

Affected products

Known affected 10 products

Product	Identifier	Version
Microsoft Visual Studio Code Microsoft / Visual Studio Code	`cpe:/a:microsoft:visual_studio_code:-`	—
Microsoft Visual Studio Code CoPilot Chat Extension Microsoft / Visual Studio Code	`cpe:/a:microsoft:visual_studio_code:copilot_chat_extension`	CoPilot Chat Extension
Microsoft ASP.NET Core 9.0 Microsoft / ASP.NET	`cpe:/a:microsoft:asp.net:core_9.0`	Core 9.0
Microsoft .NET 10.0 Microsoft / .NET	`cpe:/a:microsoft:.net:10.0`	10
Microsoft .NET 9.0 Microsoft / .NET	`cpe:/a:microsoft:.net:9.0`	9
Microsoft Visual Studio 2026 version 18.6 Microsoft / Visual Studio 2026		version 18.6
Microsoft Visual Studio Code - MSSQL Extension Microsoft / Visual Studio Code	`cpe:/a:microsoft:visual_studio_code:-_mssql_extension`	- MSSQL Extension
Microsoft ASP.NET Core 10.0 Microsoft / ASP.NET	`cpe:/a:microsoft:asp.net:core_10.0`	Core 10.0
Microsoft .NET 8.0 Microsoft / .NET	`cpe:/a:microsoft:.net:8.0`	8
Microsoft ASP.NET Core 8.0 Microsoft / ASP.NET	`cpe:/a:microsoft:asp.net:core_8.0`	Core 8.0

CVE-2026-47281

Affected products

Known affected 10 products

Product	Identifier	Version
Microsoft Visual Studio Code Microsoft / Visual Studio Code	`cpe:/a:microsoft:visual_studio_code:-`	—
Microsoft Visual Studio Code CoPilot Chat Extension Microsoft / Visual Studio Code	`cpe:/a:microsoft:visual_studio_code:copilot_chat_extension`	CoPilot Chat Extension
Microsoft ASP.NET Core 9.0 Microsoft / ASP.NET	`cpe:/a:microsoft:asp.net:core_9.0`	Core 9.0
Microsoft .NET 10.0 Microsoft / .NET	`cpe:/a:microsoft:.net:10.0`	10
Microsoft .NET 9.0 Microsoft / .NET	`cpe:/a:microsoft:.net:9.0`	9
Microsoft Visual Studio 2026 version 18.6 Microsoft / Visual Studio 2026		version 18.6
Microsoft Visual Studio Code - MSSQL Extension Microsoft / Visual Studio Code	`cpe:/a:microsoft:visual_studio_code:-_mssql_extension`	- MSSQL Extension
Microsoft ASP.NET Core 10.0 Microsoft / ASP.NET	`cpe:/a:microsoft:asp.net:core_10.0`	Core 10.0
Microsoft .NET 8.0 Microsoft / .NET	`cpe:/a:microsoft:.net:8.0`	8
Microsoft ASP.NET Core 8.0 Microsoft / ASP.NET	`cpe:/a:microsoft:asp.net:core_8.0`	Core 8.0

CVE-2026-47284

Affected products

Known affected 10 products

Product	Identifier	Version
Microsoft Visual Studio Code Microsoft / Visual Studio Code	`cpe:/a:microsoft:visual_studio_code:-`	—
Microsoft Visual Studio Code CoPilot Chat Extension Microsoft / Visual Studio Code	`cpe:/a:microsoft:visual_studio_code:copilot_chat_extension`	CoPilot Chat Extension
Microsoft ASP.NET Core 9.0 Microsoft / ASP.NET	`cpe:/a:microsoft:asp.net:core_9.0`	Core 9.0
Microsoft .NET 10.0 Microsoft / .NET	`cpe:/a:microsoft:.net:10.0`	10
Microsoft .NET 9.0 Microsoft / .NET	`cpe:/a:microsoft:.net:9.0`	9
Microsoft Visual Studio 2026 version 18.6 Microsoft / Visual Studio 2026		version 18.6
Microsoft Visual Studio Code - MSSQL Extension Microsoft / Visual Studio Code	`cpe:/a:microsoft:visual_studio_code:-_mssql_extension`	- MSSQL Extension
Microsoft ASP.NET Core 10.0 Microsoft / ASP.NET	`cpe:/a:microsoft:asp.net:core_10.0`	Core 10.0
Microsoft .NET 8.0 Microsoft / .NET	`cpe:/a:microsoft:.net:8.0`	8
Microsoft ASP.NET Core 8.0 Microsoft / ASP.NET	`cpe:/a:microsoft:asp.net:core_8.0`	Core 8.0

CVE-2026-47287

Affected products

Known affected 10 products

Product	Identifier	Version
Microsoft Visual Studio Code Microsoft / Visual Studio Code	`cpe:/a:microsoft:visual_studio_code:-`	—
Microsoft Visual Studio Code CoPilot Chat Extension Microsoft / Visual Studio Code	`cpe:/a:microsoft:visual_studio_code:copilot_chat_extension`	CoPilot Chat Extension
Microsoft ASP.NET Core 9.0 Microsoft / ASP.NET	`cpe:/a:microsoft:asp.net:core_9.0`	Core 9.0
Microsoft .NET 10.0 Microsoft / .NET	`cpe:/a:microsoft:.net:10.0`	10
Microsoft .NET 9.0 Microsoft / .NET	`cpe:/a:microsoft:.net:9.0`	9
Microsoft Visual Studio 2026 version 18.6 Microsoft / Visual Studio 2026		version 18.6
Microsoft Visual Studio Code - MSSQL Extension Microsoft / Visual Studio Code	`cpe:/a:microsoft:visual_studio_code:-_mssql_extension`	- MSSQL Extension
Microsoft ASP.NET Core 10.0 Microsoft / ASP.NET	`cpe:/a:microsoft:asp.net:core_10.0`	Core 10.0
Microsoft .NET 8.0 Microsoft / .NET	`cpe:/a:microsoft:.net:8.0`	8
Microsoft ASP.NET Core 8.0 Microsoft / ASP.NET	`cpe:/a:microsoft:asp.net:core_8.0`	Core 8.0

CVE-2026-47292

Affected products

Known affected 10 products

Product	Identifier	Version
Microsoft Visual Studio Code Microsoft / Visual Studio Code	`cpe:/a:microsoft:visual_studio_code:-`	—
Microsoft Visual Studio Code CoPilot Chat Extension Microsoft / Visual Studio Code	`cpe:/a:microsoft:visual_studio_code:copilot_chat_extension`	CoPilot Chat Extension
Microsoft ASP.NET Core 9.0 Microsoft / ASP.NET	`cpe:/a:microsoft:asp.net:core_9.0`	Core 9.0
Microsoft .NET 10.0 Microsoft / .NET	`cpe:/a:microsoft:.net:10.0`	10
Microsoft .NET 9.0 Microsoft / .NET	`cpe:/a:microsoft:.net:9.0`	9
Microsoft Visual Studio 2026 version 18.6 Microsoft / Visual Studio 2026		version 18.6
Microsoft Visual Studio Code - MSSQL Extension Microsoft / Visual Studio Code	`cpe:/a:microsoft:visual_studio_code:-_mssql_extension`	- MSSQL Extension
Microsoft ASP.NET Core 10.0 Microsoft / ASP.NET	`cpe:/a:microsoft:asp.net:core_10.0`	Core 10.0
Microsoft .NET 8.0 Microsoft / .NET	`cpe:/a:microsoft:.net:8.0`	8
Microsoft ASP.NET Core 8.0 Microsoft / ASP.NET	`cpe:/a:microsoft:asp.net:core_8.0`	Core 8.0

CVE-2026-48569

Affected products

Known affected 10 products

Product	Identifier	Version
Microsoft Visual Studio Code Microsoft / Visual Studio Code	`cpe:/a:microsoft:visual_studio_code:-`	—
Microsoft Visual Studio Code CoPilot Chat Extension Microsoft / Visual Studio Code	`cpe:/a:microsoft:visual_studio_code:copilot_chat_extension`	CoPilot Chat Extension
Microsoft ASP.NET Core 9.0 Microsoft / ASP.NET	`cpe:/a:microsoft:asp.net:core_9.0`	Core 9.0
Microsoft .NET 10.0 Microsoft / .NET	`cpe:/a:microsoft:.net:10.0`	10
Microsoft .NET 9.0 Microsoft / .NET	`cpe:/a:microsoft:.net:9.0`	9
Microsoft Visual Studio 2026 version 18.6 Microsoft / Visual Studio 2026		version 18.6
Microsoft Visual Studio Code - MSSQL Extension Microsoft / Visual Studio Code	`cpe:/a:microsoft:visual_studio_code:-_mssql_extension`	- MSSQL Extension
Microsoft ASP.NET Core 10.0 Microsoft / ASP.NET	`cpe:/a:microsoft:asp.net:core_10.0`	Core 10.0
Microsoft .NET 8.0 Microsoft / .NET	`cpe:/a:microsoft:.net:8.0`	8
Microsoft ASP.NET Core 8.0 Microsoft / ASP.NET	`cpe:/a:microsoft:asp.net:core_8.0`	Core 8.0

References

3 references

URL	Category
https://wid.cert-bund.de/.well-known/csaf/white/2…	self
https://wid.cert-bund.de/portal/wid/securityadvis…	self
https://msrc.microsoft.com/update-guide/	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "hoch"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Visual Studio Code ist ein Quelltext-Editor von Microsoft. \r\nMicrosoft ASP.NET (Active Server Pages .NET) ist eine Technologie zum Erstellen dynamischer Webseiten, Webanwendungen und Webservices auf Basis des Microsoft .NET-Frameworks.\r\nMicrosoft .NET ist ein Software-Framework f\u00fcr die Entwicklung und Ausf\u00fchrung von Anwendungen.\r\nMicrosoft Visual Studio ist eine integrierte Entwicklungsumgebung (IDE) von Microsoft, die zum Erstellen von Anwendungen f\u00fcr verschiedene Plattformen verwendet wird.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein Angreifer kann mehrere Schwachstellen in Microsoft Visual Studio Code, Microsoft ASP.NET, Microsoft .NET und Microsoft Visual Studio 2026 ausnutzen, um Administratorrechte zu erlangen, Daten zu manipulieren, vertrauliche Informationen offenzulegen oder die Authentifizierung zu umgehen.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Linux\n- MacOS X\n- Windows",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2026-1845 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2026/wid-sec-w-2026-1845.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2026-1845 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-1845"
      },
      {
        "category": "external",
        "summary": "Microsoft Leitfaden f\u00fcr Sicherheitsupdates",
        "url": "https://msrc.microsoft.com/update-guide/"
      }
    ],
    "source_lang": "en-US",
    "title": "Microsoft DeveloperTools: Mehrere Schwachstellen",
    "tracking": {
      "current_release_date": "2026-06-09T22:00:00.000+00:00",
      "generator": {
        "date": "2026-06-10T06:20:57.549+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.6.0"
        }
      },
      "id": "WID-SEC-W-2026-1845",
      "initial_release_date": "2026-06-09T22:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2026-06-09T22:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "10",
                "product": {
                  "name": "Microsoft .NET 10.0",
                  "product_id": "T051615",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:microsoft:.net:10.0"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "9",
                "product": {
                  "name": "Microsoft .NET 9.0",
                  "product_id": "T051616",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:microsoft:.net:9.0"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "8",
                "product": {
                  "name": "Microsoft .NET 8.0",
                  "product_id": "T055115",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:microsoft:.net:8.0"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": ".NET"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "Core 8.0",
                "product": {
                  "name": "Microsoft ASP.NET Core 8.0",
                  "product_id": "T055114",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:microsoft:asp.net:core_8.0"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "Core 9.0",
                "product": {
                  "name": "Microsoft ASP.NET Core 9.0",
                  "product_id": "T055122",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:microsoft:asp.net:core_9.0"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "Core 10.0",
                "product": {
                  "name": "Microsoft ASP.NET Core 10.0",
                  "product_id": "T055127",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:microsoft:asp.net:core_10.0"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "ASP.NET"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "version 18.6",
                "product": {
                  "name": "Microsoft Visual Studio 2026 version 18.6",
                  "product_id": "T055129"
                }
              }
            ],
            "category": "product_name",
            "name": "Visual Studio 2026"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Microsoft Visual Studio Code",
                "product": {
                  "name": "Microsoft Visual Studio Code",
                  "product_id": "T055113",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:microsoft:visual_studio_code:-"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "CoPilot Chat Extension",
                "product": {
                  "name": "Microsoft Visual Studio Code CoPilot Chat Extension",
                  "product_id": "T055123",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:microsoft:visual_studio_code:copilot_chat_extension"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "- MSSQL Extension",
                "product": {
                  "name": "Microsoft Visual Studio Code - MSSQL Extension",
                  "product_id": "T055128",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:microsoft:visual_studio_code:-_mssql_extension"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Visual Studio Code"
          }
        ],
        "category": "vendor",
        "name": "Microsoft"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2026-40376",
      "product_status": {
        "known_affected": [
          "T055113",
          "T055123",
          "T055122",
          "T051615",
          "T051616",
          "T055129",
          "T055128",
          "T055127",
          "T055115",
          "T055114"
        ]
      },
      "release_date": "2026-06-09T22:00:00.000+00:00",
      "title": "CVE-2026-40376"
    },
    {
      "cve": "CVE-2026-45482",
      "product_status": {
        "known_affected": [
          "T055113",
          "T055123",
          "T055122",
          "T051615",
          "T051616",
          "T055129",
          "T055128",
          "T055127",
          "T055115",
          "T055114"
        ]
      },
      "release_date": "2026-06-09T22:00:00.000+00:00",
      "title": "CVE-2026-45482"
    },
    {
      "cve": "CVE-2026-45490",
      "product_status": {
        "known_affected": [
          "T055113",
          "T055123",
          "T055122",
          "T051615",
          "T051616",
          "T055129",
          "T055128",
          "T055127",
          "T055115",
          "T055114"
        ]
      },
      "release_date": "2026-06-09T22:00:00.000+00:00",
      "title": "CVE-2026-45490"
    },
    {
      "cve": "CVE-2026-45491",
      "product_status": {
        "known_affected": [
          "T055113",
          "T055123",
          "T055122",
          "T051615",
          "T051616",
          "T055129",
          "T055128",
          "T055127",
          "T055115",
          "T055114"
        ]
      },
      "release_date": "2026-06-09T22:00:00.000+00:00",
      "title": "CVE-2026-45491"
    },
    {
      "cve": "CVE-2026-45591",
      "product_status": {
        "known_affected": [
          "T055113",
          "T055123",
          "T055122",
          "T051615",
          "T051616",
          "T055129",
          "T055128",
          "T055127",
          "T055115",
          "T055114"
        ]
      },
      "release_date": "2026-06-09T22:00:00.000+00:00",
      "title": "CVE-2026-45591"
    },
    {
      "cve": "CVE-2026-45644",
      "product_status": {
        "known_affected": [
          "T055113",
          "T055123",
          "T055122",
          "T051615",
          "T051616",
          "T055129",
          "T055128",
          "T055127",
          "T055115",
          "T055114"
        ]
      },
      "release_date": "2026-06-09T22:00:00.000+00:00",
      "title": "CVE-2026-45644"
    },
    {
      "cve": "CVE-2026-47281",
      "product_status": {
        "known_affected": [
          "T055113",
          "T055123",
          "T055122",
          "T051615",
          "T051616",
          "T055129",
          "T055128",
          "T055127",
          "T055115",
          "T055114"
        ]
      },
      "release_date": "2026-06-09T22:00:00.000+00:00",
      "title": "CVE-2026-47281"
    },
    {
      "cve": "CVE-2026-47284",
      "product_status": {
        "known_affected": [
          "T055113",
          "T055123",
          "T055122",
          "T051615",
          "T051616",
          "T055129",
          "T055128",
          "T055127",
          "T055115",
          "T055114"
        ]
      },
      "release_date": "2026-06-09T22:00:00.000+00:00",
      "title": "CVE-2026-47284"
    },
    {
      "cve": "CVE-2026-47287",
      "product_status": {
        "known_affected": [
          "T055113",
          "T055123",
          "T055122",
          "T051615",
          "T051616",
          "T055129",
          "T055128",
          "T055127",
          "T055115",
          "T055114"
        ]
      },
      "release_date": "2026-06-09T22:00:00.000+00:00",
      "title": "CVE-2026-47287"
    },
    {
      "cve": "CVE-2026-47292",
      "product_status": {
        "known_affected": [
          "T055113",
          "T055123",
          "T055122",
          "T051615",
          "T051616",
          "T055129",
          "T055128",
          "T055127",
          "T055115",
          "T055114"
        ]
      },
      "release_date": "2026-06-09T22:00:00.000+00:00",
      "title": "CVE-2026-47292"
    },
    {
      "cve": "CVE-2026-48569",
      "product_status": {
        "known_affected": [
          "T055113",
          "T055123",
          "T055122",
          "T051615",
          "T051616",
          "T055129",
          "T055128",
          "T055127",
          "T055115",
          "T055114"
        ]
      },
      "release_date": "2026-06-09T22:00:00.000+00:00",
      "title": "CVE-2026-48569"
    }
  ]
}

CVE-2026-40376 (GCVE-0-2026-40376)

Vulnerability from cvelistv5 – Published: 2026-06-09 17:05 – Updated: 2026-06-10 17:55

Title

Visual Studio Code Elevation of Privilege Vulnerability

Summary

Improper input validation in Visual Studio Code allows an unauthorized attacker to elevate privileges over a network.

Severity

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

SSVC

Exploitation: none Automatable: no Technical Impact: total

CISA Coordinator (v2.0.3)

CWE

CWE-20 - Improper Input Validation

Assigner

microsoft

References

1 reference

URL	Tags
https://msrc.microsoft.com/update-guide/vulnerabi…	vendor-advisorypatch

Impacted products

1 product

Vendor	Product	Version
Microsoft	Visual Studio Code	Affected: 1.0.0 , < 1.123.2 (custom)

Date Public

2026-06-09 14:00

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-40376",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-10T03:56:52.300828Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-10T10:21:06.156Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Visual Studio Code",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "1.123.2",
              "status": "affected",
              "version": "1.0.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:microsoft:visual_studio_code:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "1.123.2",
                  "versionStartIncluding": "1.0.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "datePublic": "2026-06-09T14:00:00.000Z",
      "descriptions": [
        {
          "lang": "en-US",
          "value": "Improper input validation in Visual Studio Code allows an unauthorized attacker to elevate privileges over a network."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en-US",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-20",
              "description": "CWE-20: Improper Input Validation",
              "lang": "en-US",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-10T17:55:21.420Z",
        "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
        "shortName": "microsoft"
      },
      "references": [
        {
          "name": "Visual Studio Code Elevation of Privilege Vulnerability",
          "tags": [
            "vendor-advisory",
            "patch"
          ],
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-40376"
        }
      ],
      "title": "Visual Studio Code Elevation of Privilege Vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
    "assignerShortName": "microsoft",
    "cveId": "CVE-2026-40376",
    "datePublished": "2026-06-09T17:05:21.405Z",
    "dateReserved": "2026-04-11T23:06:15.615Z",
    "dateUpdated": "2026-06-10T17:55:21.420Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-45482 (GCVE-0-2026-45482)

Vulnerability from cvelistv5 – Published: 2026-06-09 17:05 – Updated: 2026-06-10 17:55

Title

Microsoft Visual Studio Code CoPilot Chat Security Feature Bypass Vulnerability

Summary

Improper limitation of a pathname to a restricted directory ('path traversal') in GitHub Copilot and Visual Studio Code allows an unauthorized attacker to bypass a security feature locally.

Severity

8.4 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

SSVC

Exploitation: none Automatable: no Technical Impact: total

CISA Coordinator (v2.0.3)

CWE

CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Assigner

microsoft

References

1 reference

URL	Tags
https://msrc.microsoft.com/update-guide/vulnerabi…	vendor-advisorypatch

Impacted products

1 product

Vendor	Product	Version
Microsoft	Microsoft Visual Studio Code CoPilot Chat Extension	Affected: 0.27.0 , < 1.123.2 (custom)

Date Public

2026-06-09 14:00

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-45482",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-10T03:57:00.449616Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-10T10:19:54.786Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Microsoft Visual Studio Code CoPilot Chat Extension",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "1.123.2",
              "status": "affected",
              "version": "0.27.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:microsoft:visual_studio_code_copilot_chat_extension:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "1.123.2",
                  "versionStartIncluding": "0.27.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "datePublic": "2026-06-09T14:00:00.000Z",
      "descriptions": [
        {
          "lang": "en-US",
          "value": "Improper limitation of a pathname to a restricted directory (\u0027path traversal\u0027) in GitHub Copilot and Visual Studio Code allows an unauthorized attacker to bypass a security feature locally."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 8.4,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en-US",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-22",
              "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
              "lang": "en-US",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-10T17:55:21.983Z",
        "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
        "shortName": "microsoft"
      },
      "references": [
        {
          "name": "Microsoft Visual Studio Code CoPilot Chat Security Feature Bypass Vulnerability",
          "tags": [
            "vendor-advisory",
            "patch"
          ],
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45482"
        }
      ],
      "title": "Microsoft Visual Studio Code CoPilot Chat Security Feature Bypass Vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
    "assignerShortName": "microsoft",
    "cveId": "CVE-2026-45482",
    "datePublished": "2026-06-09T17:05:28.201Z",
    "dateReserved": "2026-05-12T16:07:22.617Z",
    "dateUpdated": "2026-06-10T17:55:21.983Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-45490 (GCVE-0-2026-45490)

Vulnerability from cvelistv5 – Published: 2026-06-09 17:04 – Updated: 2026-06-10 17:53

Title

.NET SDK Elevation of Privilege Vulnerability

Summary

Improper authorization in .NET allows an authorized attacker to elevate privileges locally.

Severity

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

SSVC

Exploitation: none Automatable: no Technical Impact: total

CISA Coordinator (v2.0.3)

CWE

CWE-285 - Improper Authorization

Assigner

microsoft

References

1 reference

URL	Tags
https://msrc.microsoft.com/update-guide/vulnerabi…	vendor-advisorypatch

Impacted products

3 products

Vendor	Product	Version
Microsoft	.NET 10.0	Affected: 10.0.0 , < 10.0.9 (custom)
Microsoft	.NET 8.0	Affected: 8.0.0 , < 8.0.28 (custom)
Microsoft	.NET 9.0	Affected: 9.0.0 , < 9.0.17 (custom)

Date Public

2026-06-09 14:00

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-45490",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-10T03:55:40.740762Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-10T10:29:11.275Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": ".NET 10.0",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "10.0.9",
              "status": "affected",
              "version": "10.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": ".NET 8.0",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "8.0.28",
              "status": "affected",
              "version": "8.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": ".NET 9.0",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "9.0.17",
              "status": "affected",
              "version": "9.0.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:microsoft:.net:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "10.0.9",
                  "versionStartIncluding": "10.0.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:.net:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "8.0.28",
                  "versionStartIncluding": "8.0.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:.net:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "9.0.17",
                  "versionStartIncluding": "9.0.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "datePublic": "2026-06-09T14:00:00.000Z",
      "descriptions": [
        {
          "lang": "en-US",
          "value": "Improper authorization in .NET allows an authorized attacker to elevate privileges locally."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en-US",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-285",
              "description": "CWE-285: Improper Authorization",
              "lang": "en-US",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-10T17:53:33.889Z",
        "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
        "shortName": "microsoft"
      },
      "references": [
        {
          "name": ".NET SDK Elevation of Privilege Vulnerability",
          "tags": [
            "vendor-advisory",
            "patch"
          ],
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45490"
        }
      ],
      "title": ".NET SDK Elevation of Privilege Vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
    "assignerShortName": "microsoft",
    "cveId": "CVE-2026-45490",
    "datePublished": "2026-06-09T17:04:43.900Z",
    "dateReserved": "2026-05-12T16:07:22.618Z",
    "dateUpdated": "2026-06-10T17:53:33.889Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-45491 (GCVE-0-2026-45491)

Vulnerability from cvelistv5 – Published: 2026-06-09 17:04 – Updated: 2026-06-10 17:53

Title

.NET Tampering Vulnerability

Summary

Improper link resolution before file access ('link following') in .NET allows an unauthorized attacker to perform tampering locally.

Severity

6.2 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C

SSVC

Exploitation: none Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-59 - Improper Link Resolution Before File Access ('Link Following')

Assigner

microsoft

References

1 reference

URL	Tags
https://msrc.microsoft.com/update-guide/vulnerabi…	vendor-advisorypatch

Impacted products

4 products

Vendor	Product	Version
Microsoft	.NET 10.0	Affected: 10.0.0 , < 10.0.9 (custom)
Microsoft	.NET 8.0	Affected: 8.0 , < 8.0.28 (custom)
Microsoft	.NET 8.0	Affected: 8.0.0 , < 8.0.28 (custom)
Microsoft	.NET 9.0	Affected: 9.0.0 , < 9.0.17 (custom)

Date Public

2026-06-09 14:00

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-45491",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-10T12:17:16.966103Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-10T12:17:26.789Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": ".NET 10.0",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "10.0.9",
              "status": "affected",
              "version": "10.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": ".NET 8.0",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "8.0.28",
              "status": "affected",
              "version": "8.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": ".NET 8.0",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "8.0.28",
              "status": "affected",
              "version": "8.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": ".NET 9.0",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "9.0.17",
              "status": "affected",
              "version": "9.0.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:microsoft:.net:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "10.0.9",
                  "versionStartIncluding": "10.0.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:.net:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "8.0.28",
                  "versionStartIncluding": "8.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:.net:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "8.0.28",
                  "versionStartIncluding": "8.0.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:.net:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "9.0.17",
                  "versionStartIncluding": "9.0.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "datePublic": "2026-06-09T14:00:00.000Z",
      "descriptions": [
        {
          "lang": "en-US",
          "value": "Improper link resolution before file access (\u0027link following\u0027) in .NET allows an unauthorized attacker to perform tampering locally."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 6.2,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en-US",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-59",
              "description": "CWE-59: Improper Link Resolution Before File Access (\u0027Link Following\u0027)",
              "lang": "en-US",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-10T17:53:34.455Z",
        "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
        "shortName": "microsoft"
      },
      "references": [
        {
          "name": ".NET Tampering Vulnerability",
          "tags": [
            "vendor-advisory",
            "patch"
          ],
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45491"
        }
      ],
      "title": ".NET Tampering Vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
    "assignerShortName": "microsoft",
    "cveId": "CVE-2026-45491",
    "datePublished": "2026-06-09T17:04:44.457Z",
    "dateReserved": "2026-05-12T16:07:22.618Z",
    "dateUpdated": "2026-06-10T17:53:34.455Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-45591 (GCVE-0-2026-45591)

Vulnerability from cvelistv5 – Published: 2026-06-09 17:05 – Updated: 2026-06-10 17:54

Title

ASP.NET Core Denial of Service Vulnerability

Summary

Uncontrolled resource consumption in ASP.NET Core allows an unauthorized attacker to deny service over a network.

Severity

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C

SSVC

Exploitation: none Automatable: yes Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-400 - Uncontrolled Resource Consumption

Assigner

microsoft

References

1 reference

URL	Tags
https://msrc.microsoft.com/update-guide/vulnerabi…	vendor-advisorypatch

Impacted products

7 products

Vendor	Product	Version
Microsoft	.NET 10.0	Affected: 10.0.0 , < 10.0.9 (custom)
Microsoft	.NET 8.0	Affected: 8.0.0 , < 8.0.28 (custom)
Microsoft	.NET 9.0	Affected: 9.0.0 , < 9.0.17 (custom)
Microsoft	ASP.NET Core 10.0	Affected: 10.0 , < 10.0.9 (custom)
Microsoft	ASP.NET Core 8.0	Affected: 8.0 , < 8.0.28 (custom)
Microsoft	ASP.NET Core 9.0	Affected: 9.0 , < 9.0.17 (custom)
Microsoft	Microsoft Visual Studio 2026 version 18.6	Affected: 18.6.0 , < 18.6.3 (custom)

Date Public

2026-06-09 14:00

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-45591",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-10T13:47:51.768280Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-10T13:47:58.238Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": ".NET 10.0",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "10.0.9",
              "status": "affected",
              "version": "10.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": ".NET 8.0",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "8.0.28",
              "status": "affected",
              "version": "8.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": ".NET 9.0",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "9.0.17",
              "status": "affected",
              "version": "9.0.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "ASP.NET Core 10.0",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "10.0.9",
              "status": "affected",
              "version": "10.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "ASP.NET Core 8.0",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "8.0.28",
              "status": "affected",
              "version": "8.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "ASP.NET Core 9.0",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "9.0.17",
              "status": "affected",
              "version": "9.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Microsoft Visual Studio 2026 version 18.6",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "18.6.3",
              "status": "affected",
              "version": "18.6.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:microsoft:visual_studio_2026:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "18.6.3",
                  "versionStartIncluding": "18.6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:.net:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "10.0.9",
                  "versionStartIncluding": "10.0.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:asp.net_core:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "10.0.9",
                  "versionStartIncluding": "10.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:asp.net_core:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "8.0.28",
                  "versionStartIncluding": "8.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:.net:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "8.0.28",
                  "versionStartIncluding": "8.0.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:.net:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "9.0.17",
                  "versionStartIncluding": "9.0.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:microsoft:asp.net_core:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "9.0.17",
                  "versionStartIncluding": "9.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "datePublic": "2026-06-09T14:00:00.000Z",
      "descriptions": [
        {
          "lang": "en-US",
          "value": "Uncontrolled resource consumption in ASP.NET Core allows an unauthorized attacker to deny service over a network."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en-US",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-400",
              "description": "CWE-400: Uncontrolled Resource Consumption",
              "lang": "en-US",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-10T17:54:19.155Z",
        "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
        "shortName": "microsoft"
      },
      "references": [
        {
          "name": "ASP.NET Core Denial of Service Vulnerability",
          "tags": [
            "vendor-advisory",
            "patch"
          ],
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45591"
        }
      ],
      "title": "ASP.NET Core Denial of Service Vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
    "assignerShortName": "microsoft",
    "cveId": "CVE-2026-45591",
    "datePublished": "2026-06-09T17:05:29.575Z",
    "dateReserved": "2026-05-12T19:55:45.730Z",
    "dateUpdated": "2026-06-10T17:54:19.155Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-45644 (GCVE-0-2026-45644)

Vulnerability from cvelistv5 – Published: 2026-06-09 17:05 – Updated: 2026-06-10 17:54

Title

Microsoft Live Share Canvas SDK Elevation of Privilege Vulnerability

Summary

Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Live Share Canvas SDK allows an authorized attacker to elevate privileges over a network.

Severity

8 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

SSVC

Exploitation: none Automatable: no Technical Impact: total

CISA Coordinator (v2.0.3)

CWE

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Assigner

microsoft

References

1 reference

URL	Tags
https://msrc.microsoft.com/update-guide/vulnerabi…	vendor-advisorypatch

Impacted products

1 product

Vendor	Product	Version
Microsoft	Microsoft Live Share Canvas SDK	Affected: 1.0.0 , < 1.4.2 (custom)

Date Public

2026-06-09 14:00

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-45644",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-10T13:42:41.226873Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-10T13:43:10.024Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Microsoft Live Share Canvas SDK",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "1.4.2",
              "status": "affected",
              "version": "1.0.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:microsoft:Live_share_canvas:*:SDK:*:*:*:*:*:*",
                  "versionEndExcluding": "1.4.2",
                  "versionStartIncluding": "1.0.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "datePublic": "2026-06-09T14:00:00.000Z",
      "descriptions": [
        {
          "lang": "en-US",
          "value": "Improper neutralization of input during web page generation (\u0027cross-site scripting\u0027) in Microsoft Live Share Canvas SDK allows an authorized attacker to elevate privileges over a network."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en-US",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en-US",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-10T17:54:32.569Z",
        "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
        "shortName": "microsoft"
      },
      "references": [
        {
          "name": "Microsoft Live Share Canvas SDK Elevation of Privilege Vulnerability",
          "tags": [
            "vendor-advisory",
            "patch"
          ],
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45644"
        }
      ],
      "title": "Microsoft Live Share Canvas SDK Elevation of Privilege Vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
    "assignerShortName": "microsoft",
    "cveId": "CVE-2026-45644",
    "datePublished": "2026-06-09T17:05:42.550Z",
    "dateReserved": "2026-05-12T20:33:35.156Z",
    "dateUpdated": "2026-06-10T17:54:32.569Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-47281 (GCVE-0-2026-47281)

Vulnerability from cvelistv5 – Published: 2026-06-09 17:05 – Updated: 2026-06-10 17:54

Title

Visual Studio Code Elevation of Privilege Vulnerability

Summary

Improper input validation in Visual Studio Code allows an unauthorized attacker to elevate privileges over a network.

Severity

9.6 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C

SSVC

Exploitation: none Automatable: no Technical Impact: total

CISA Coordinator (v2.0.3)

CWE

CWE-862 - Missing Authorization
CWE-306 - Missing Authentication for Critical Function
CWE-798 - Use of Hard-coded Credentials

Assigner

microsoft

References

1 reference

URL	Tags
https://msrc.microsoft.com/update-guide/vulnerabi…	vendor-advisorypatch

Impacted products

1 product

Vendor	Product	Version
Microsoft	Visual Studio Code	Affected: 1.0.0 , < 1.123.1 (custom)

Date Public

2026-06-09 14:00

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-47281",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-10T03:57:01.725468Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-10T10:16:28.210Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Visual Studio Code",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "1.123.1",
              "status": "affected",
              "version": "1.0.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:microsoft:visual_studio_code:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "1.123.1",
                  "versionStartIncluding": "1.0.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "datePublic": "2026-06-09T14:00:00.000Z",
      "descriptions": [
        {
          "lang": "en-US",
          "value": "Improper input validation in Visual Studio Code allows an unauthorized attacker to elevate privileges over a network."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 9.6,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en-US",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-862",
              "description": "CWE-862: Missing Authorization",
              "lang": "en-US",
              "type": "CWE"
            },
            {
              "cweId": "CWE-306",
              "description": "CWE-306: Missing Authentication for Critical Function",
              "lang": "en-US",
              "type": "CWE"
            },
            {
              "cweId": "CWE-798",
              "description": "CWE-798: Use of Hard-coded Credentials",
              "lang": "en-US",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-10T17:54:35.579Z",
        "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
        "shortName": "microsoft"
      },
      "references": [
        {
          "name": "Visual Studio Code Elevation of Privilege Vulnerability",
          "tags": [
            "vendor-advisory",
            "patch"
          ],
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-47281"
        }
      ],
      "title": "Visual Studio Code Elevation of Privilege Vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
    "assignerShortName": "microsoft",
    "cveId": "CVE-2026-47281",
    "datePublished": "2026-06-09T17:05:45.974Z",
    "dateReserved": "2026-05-18T23:53:33.896Z",
    "dateUpdated": "2026-06-10T17:54:35.579Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-47284 (GCVE-0-2026-47284)

Vulnerability from cvelistv5 – Published: 2026-06-09 17:05 – Updated: 2026-06-10 17:54

Title

Visual Studio Code Information Disclosure Vulnerability

Summary

Exposure of sensitive information to an unauthorized actor in Visual Studio Code allows an unauthorized attacker to disclose information over a network.

Severity

6.5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C

SSVC

Exploitation: none Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor

Assigner

microsoft

References

1 reference

URL	Tags
https://msrc.microsoft.com/update-guide/vulnerabi…	vendor-advisorypatch

Impacted products

1 product

Vendor	Product	Version
Microsoft	Visual Studio Code	Affected: 1.0.0 , < 1.123.1 (custom)

Date Public

2026-06-09 14:00

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-47284",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-10T12:38:01.374004Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-10T12:38:17.320Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Visual Studio Code",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "1.123.1",
              "status": "affected",
              "version": "1.0.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:microsoft:visual_studio_code:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "1.123.1",
                  "versionStartIncluding": "1.0.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "datePublic": "2026-06-09T14:00:00.000Z",
      "descriptions": [
        {
          "lang": "en-US",
          "value": "Exposure of sensitive information to an unauthorized actor in Visual Studio Code allows an unauthorized attacker to disclose information over a network."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en-US",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-200",
              "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
              "lang": "en-US",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-10T17:54:36.257Z",
        "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
        "shortName": "microsoft"
      },
      "references": [
        {
          "name": "Visual Studio Code Information Disclosure Vulnerability",
          "tags": [
            "vendor-advisory",
            "patch"
          ],
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-47284"
        }
      ],
      "title": "Visual Studio Code Information Disclosure Vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
    "assignerShortName": "microsoft",
    "cveId": "CVE-2026-47284",
    "datePublished": "2026-06-09T17:05:46.525Z",
    "dateReserved": "2026-05-18T23:53:33.896Z",
    "dateUpdated": "2026-06-10T17:54:36.257Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-47287 (GCVE-0-2026-47287)

Vulnerability from cvelistv5 – Published: 2026-06-09 17:04 – Updated: 2026-06-10 17:53

Title

Visual Studio Code Tampering Vulnerability

Summary

Relative path traversal in Visual Studio Code allows an unauthorized attacker to perform tampering over a network.

Severity

6.5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C

SSVC

Exploitation: none Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-23 - Relative Path Traversal

Assigner

microsoft

References

1 reference

URL	Tags
https://msrc.microsoft.com/update-guide/vulnerabi…	vendor-advisorypatch

Impacted products

1 product

Vendor	Product	Version
Microsoft	Visual Studio Code	Affected: 1.0.0 , < 1.123.1 (custom)

Date Public

2026-06-09 14:00

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-47287",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-09T18:04:52.851543Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-09T18:04:59.553Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Visual Studio Code",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "1.123.1",
              "status": "affected",
              "version": "1.0.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:microsoft:visual_studio_code:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "1.123.1",
                  "versionStartIncluding": "1.0.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "datePublic": "2026-06-09T14:00:00.000Z",
      "descriptions": [
        {
          "lang": "en-US",
          "value": "Relative path traversal in Visual Studio Code allows an unauthorized attacker to perform tampering over a network."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en-US",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-23",
              "description": "CWE-23: Relative Path Traversal",
              "lang": "en-US",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-10T17:53:47.785Z",
        "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
        "shortName": "microsoft"
      },
      "references": [
        {
          "name": "Visual Studio Code Tampering Vulnerability",
          "tags": [
            "vendor-advisory",
            "patch"
          ],
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-47287"
        }
      ],
      "title": "Visual Studio Code Tampering Vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
    "assignerShortName": "microsoft",
    "cveId": "CVE-2026-47287",
    "datePublished": "2026-06-09T17:04:57.494Z",
    "dateReserved": "2026-05-18T23:53:33.896Z",
    "dateUpdated": "2026-06-10T17:53:47.785Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-47292 (GCVE-0-2026-47292)

Vulnerability from cvelistv5 – Published: 2026-06-09 17:04 – Updated: 2026-06-10 17:53

Title

Visual Studio Code MSSQL Extension Remote Code Execution Vulnerability

Summary

Inclusion of functionality from untrusted control sphere in Visual Studio Code allows an unauthorized attacker to elevate privileges locally.

Severity

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

SSVC

Exploitation: none Automatable: no Technical Impact: total

CISA Coordinator (v2.0.3)

CWE

CWE-829 - Inclusion of Functionality from Untrusted Control Sphere
CWE-94 - Improper Control of Generation of Code ('Code Injection')

Assigner

microsoft

References

1 reference

URL	Tags
https://msrc.microsoft.com/update-guide/vulnerabi…	vendor-advisorypatch

Impacted products

1 product

Vendor	Product	Version
Microsoft	Visual Studio Code - MSSQL Extension	Affected: 1.0.0 , < 1.123.1 (custom)

Date Public

2026-06-09 14:00

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-47292",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-10T03:57:50.382011Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-10T10:25:57.393Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Visual Studio Code - MSSQL Extension",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "1.123.1",
              "status": "affected",
              "version": "1.0.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:microsoft:visual_studio_code_mssql_extension:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "1.123.1",
                  "versionStartIncluding": "1.0.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "datePublic": "2026-06-09T14:00:00.000Z",
      "descriptions": [
        {
          "lang": "en-US",
          "value": "Inclusion of functionality from untrusted control sphere in Visual Studio Code allows an unauthorized attacker to elevate privileges locally."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en-US",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-829",
              "description": "CWE-829: Inclusion of Functionality from Untrusted Control Sphere",
              "lang": "en-US",
              "type": "CWE"
            },
            {
              "cweId": "CWE-94",
              "description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
              "lang": "en-US",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-10T17:53:50.156Z",
        "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
        "shortName": "microsoft"
      },
      "references": [
        {
          "name": "Visual Studio Code MSSQL Extension Remote Code Execution Vulnerability",
          "tags": [
            "vendor-advisory",
            "patch"
          ],
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-47292"
        }
      ],
      "title": "Visual Studio Code MSSQL Extension Remote Code Execution Vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
    "assignerShortName": "microsoft",
    "cveId": "CVE-2026-47292",
    "datePublished": "2026-06-09T17:04:59.894Z",
    "dateReserved": "2026-05-18T23:53:33.897Z",
    "dateUpdated": "2026-06-10T17:53:50.156Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

WID-SEC-W-2026-1845

CVE-2026-40376 (GCVE-0-2026-40376)

CVE-2026-45482 (GCVE-0-2026-45482)

CVE-2026-45490 (GCVE-0-2026-45490)

CVE-2026-45491 (GCVE-0-2026-45491)

CVE-2026-45591 (GCVE-0-2026-45591)

CVE-2026-45644 (GCVE-0-2026-45644)

CVE-2026-47281 (GCVE-0-2026-47281)

CVE-2026-47284 (GCVE-0-2026-47284)

CVE-2026-47287 (GCVE-0-2026-47287)

CVE-2026-47292 (GCVE-0-2026-47292)

Tags

Sightings

Nomenclature