Description
Relative path traversal in Visual Studio Code allows an unauthorized attacker to disclose information locally.
Published: 2026-05-12
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A relative path traversal flaw in Microsoft Visual Studio Code's Live Preview extension allows an unauthorized local attacker to read files outside the intended project directory. The vulnerability permits disclosure of potentially sensitive data stored on the victim's machine. The weakness is a classic pathname traversal issue and is classified under CWE-22 and CWE-23.

Affected Systems

The vulnerable component is the Live Preview extension supplied by Microsoft for Visual Studio Code. No specific version range is enumerated, so all installations of the extension that have not been patched are potentially affected.

Risk and Exploitability

The CVSS score of 5.5 indicates a medium severity impact. EPSS data is not available, and the vulnerability is not currently listed in the CISA KEV catalog. Because the flaw requires local presence, the attack surface is limited to users who have access to the target machine and can install or otherwise execute the extension. Exploitation would involve manipulating file paths passed to the preview functionality to access arbitrary files within the system's file space.

Generated by OpenCVE AI on May 12, 2026 at 20:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Live Preview extension to the latest version once the vendor releases a fix for the path-traversal flaw.
  • If an update is unavailable, uninstall or disable the Live Preview extension to eliminate the attack vector until a patch is released.
  • Configure the Visual Studio Code workspace settings to restrict extension permissions, ensuring that extensions cannot read or write files outside the designated project directory.

Generated by OpenCVE AI on May 12, 2026 at 20:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 15 May 2026 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft live Preview
CPEs cpe:2.3:a:microsoft:live_preview:*:*:*:*:*:visual_studio_code:*:*
Vendors & Products Microsoft live Preview

Wed, 13 May 2026 11:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 12 May 2026 17:30:00 +0000

Type Values Removed Values Added
Description Relative path traversal in Visual Studio Code allows an unauthorized attacker to disclose information locally.
Title Visual Studio Code Information Disclosure Vulnerability
First Time appeared Microsoft
Microsoft visual Studio Code
Weaknesses CWE-22
CWE-23
CPEs cpe:2.3:a:microsoft:visual_studio_code:*:*:*:*:*:livepreview:*:*
Vendors & Products Microsoft
Microsoft visual Studio Code
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C'}

Subscriptions

Microsoft Live Preview Visual Studio Code
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-06-09T19:33:05.804Z

Reserved: 2026-04-21T22:14:12.923Z

Link: CVE-2026-41612

cve-icon Vulnrichment

Updated: 2026-05-13T10:20:12.842Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-12T18:17:23.113

Modified: 2026-05-15T14:25:28.623

Link: CVE-2026-41612

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T23:45:25Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

  • CWE-23

    Relative Path Traversal