Description
Improper input validation in Visual Studio Code allows an unauthorized attacker to elevate privileges over a network.
Published: 2026-06-09
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from improper input validation within Visual Studio Code, permitting an attacker lacking authorization to gain elevated privileges over a network connection. This flaw is classified as input validation failure, aligning with CWE-20. Because the attacker can exploit this to elevate privileges, the potential impact includes unauthorized data access, configuration changes, or execution of further malicious actions with higher privileges. The scope extends across any user interacting with the affected software over the network.

Affected Systems

The flaw affects Microsoft Visual Studio Code. Specific version information was not provided, so the issue may be present across multiple releases until patched. All installations that expose VS Code to network traffic are potentially vulnerable.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity of the flaw. The EPSS score is not available, so the current exploitation probability cannot be quantified. The vulnerability is not listed in CISA’s KEV catalog. Based on the description, the attacker must be able to interact with VS Code over a network, suggesting the attack vector is likely network-based. No additional prerequisites were specified, implying that any remote user who can send crafted input to VS Code may be able to exploit the flaw.

Generated by OpenCVE AI on June 9, 2026 at 18:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Visual Studio Code update from Microsoft.
  • Configure network controls or a firewall to restrict inbound and outbound traffic to the VS Code application to only trusted sources.
  • Implement monitoring of VS Code logs for unusual input patterns or elevated privilege activity.

Generated by OpenCVE AI on June 9, 2026 at 18:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description Improper input validation in Visual Studio Code allows an unauthorized attacker to elevate privileges over a network.
Title Visual Studio Code Elevation of Privilege Vulnerability
First Time appeared Microsoft
Microsoft visual Studio Code
Weaknesses CWE-20
CPEs cpe:2.3:a:microsoft:visual_studio_code:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft visual Studio Code
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C'}

Subscriptions

Microsoft Visual Studio Code
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-06-10T10:21:06.156Z

Reserved: 2026-04-11T23:06:15.615Z

Link: CVE-2026-40376

cve-icon Vulnrichment

Updated: 2026-06-10T10:20:59.334Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-09T17:17:06.110

Modified: 2026-06-09T19:32:51.440

Link: CVE-2026-40376

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T18:45:06Z

Weaknesses