The vulnerability originates from improper neutralization of input during web page generation in Visual Studio Code. User-controlled data that is not correctly escaped can be injected as script, causing cross‑site scripting that runs within the editor’s context. This allows a malicious actor to execute arbitrary code and interact with local resources, thereby bypassing built‑in security guardrails, accessing confidential information, and modifying the application state. The weakness matches CWE‑79, CWE‑200, and CWE‑59.

Microsoft Visual Studio Code. All versions released prior to the vendor’s fix are potentially affected, as the issue is tied to a global input handling flaw in the product. Users should verify whether their local installations match the pre‑patch state and plan to upgrade accordingly.

The CVSS assessment rates the flaw as moderate with a score of 6.3. EPSS information is unavailable, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires local access to the editor, typically through a malicious extension, script, or user‑provided content that is rendered into a web page. Given the local nature of the threat, the risk is limited to environments where an attacker can influence the input processed by Visual Studio Code, but the impact remains significant due to the ability to execute arbitrary scripts and access sensitive data.