Description
Improper neutralization of script-related html tags in a web page (basic xss) in Visual Studio Code allows an unauthorized attacker to execute code locally.
Published: 2026-05-12
Score: 7.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper neutralization of script‑related HTML tags in a Visual Studio Code web page provides a basic cross‑site scripting vulnerability that lets an attacker execute arbitrary code locally on a machine running VS Code.

Affected Systems

Microsoft Visual Studio Code is affected. No specific version range is listed, so any installed instance that has not applied the latest update is potentially vulnerable.

Risk and Exploitability

The CVSS score of 7.8 indicates high severity, yet exploitation would likely require an attacker to get the user to open a crafted VS Code web page or exploit a local injection. The EPSS score is not available and the vulnerability is not in the CISA KEV catalog, suggesting that the exploit probability in the wild may be lower, but the risk of local code execution remains significant for users who run untrusted content in the editor.

Generated by OpenCVE AI on May 12, 2026 at 20:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Visual Studio Code to the latest version, which contains the patch for the XSS flaw.
  • Ensure that Visual Studio Code automatically applies security updates or manually install the update as soon as possible.
  • If updating is not immediately possible, disable or restrict the execution of untrusted webviews or extensions that could load external content.

Generated by OpenCVE AI on May 12, 2026 at 20:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 17:30:00 +0000

Type Values Removed Values Added
Description Improper neutralization of script-related html tags in a web page (basic xss) in Visual Studio Code allows an unauthorized attacker to execute code locally.
Title Visual Studio Code Remote Code Execution Vulnerability
First Time appeared Microsoft
Microsoft visual Studio Code
Weaknesses CWE-77
CWE-80
CPEs cpe:2.3:a:microsoft:visual_studio_code:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft visual Studio Code
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C'}

Subscriptions

Microsoft Visual Studio Code
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-05-13T03:57:21.106Z

Reserved: 2026-04-21T22:14:12.923Z

Link: CVE-2026-41611

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-12T18:17:22.980

Modified: 2026-05-12T18:17:22.980

Link: CVE-2026-41611

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T21:30:24Z

Weaknesses