Description
Improper neutralization of script-related html tags in a web page (basic xss) in Visual Studio Code allows an unauthorized attacker to execute code locally.
Published: 2026-05-12
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper neutralization of script‑related HTML tags in a Visual Studio Code web page provides a basic cross‑site scripting vulnerability that lets an attacker execute arbitrary code locally on a machine running VS Code.

Affected Systems

Microsoft Visual Studio Code is affected. No specific version range is listed, so any installed instance that has not applied the latest update is potentially vulnerable.

Risk and Exploitability

The CVSS score of 7.8 indicates high severity, yet exploitation would likely require an attacker to get the user to open a crafted VS Code web page or exploit a local injection. The EPSS score of 0.0005 (<1%) and the fact that the vulnerability is not in the CISA KEV catalog suggest that the exploit probability in the wild may be lower, but the risk of local code execution remains significant for users who run untrusted content in the editor.

Generated by OpenCVE AI on May 15, 2026 at 17:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Visual Studio Code to the latest version, which contains the patch for the XSS flaw.
  • Ensure that Visual Studio Code automatically applies security updates or manually install the update as soon as possible.
  • If updating is not immediately possible, disable or restrict the execution of untrusted webviews or extensions that could load external content.

Generated by OpenCVE AI on May 15, 2026 at 17:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 15 May 2026 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79

Wed, 13 May 2026 10:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 12 May 2026 17:30:00 +0000

Type Values Removed Values Added
Description Improper neutralization of script-related html tags in a web page (basic xss) in Visual Studio Code allows an unauthorized attacker to execute code locally.
Title Visual Studio Code Remote Code Execution Vulnerability
First Time appeared Microsoft
Microsoft visual Studio Code
Weaknesses CWE-77
CWE-80
CPEs cpe:2.3:a:microsoft:visual_studio_code:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft visual Studio Code
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C'}

Subscriptions

Microsoft Visual Studio Code
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-06-09T19:33:05.216Z

Reserved: 2026-04-21T22:14:12.923Z

Link: CVE-2026-41611

cve-icon Vulnrichment

Updated: 2026-05-13T10:00:15.092Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-12T18:17:22.980

Modified: 2026-05-15T15:05:19.573

Link: CVE-2026-41611

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-15T17:15:04Z

Weaknesses
  • CWE-77

    Improper Neutralization of Special Elements used in a Command ('Command Injection')

  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

  • CWE-80

    Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)