Description
Relative path traversal in Visual Studio Code allows an unauthorized attacker to disclose information locally.
Published: 2026-05-12
Score: 5.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A relative path traversal flaw in Microsoft Visual Studio Code's Live Preview extension allows an unauthorized local attacker to read files outside the intended project directory. The vulnerability permits disclosure of potentially sensitive data stored on the victim's machine. The weakness is a classic pathname traversal issue and is classified under CWE-22 and CWE-23.

Affected Systems

The vulnerable component is the Live Preview extension supplied by Microsoft for Visual Studio Code. No specific version range is enumerated, so all installations of the extension that have not been patched are potentially affected.

Risk and Exploitability

The CVSS score of 5.5 indicates a medium severity impact. EPSS data is not available, and the vulnerability is not currently listed in the CISA KEV catalog. Because the flaw requires local presence, the attack surface is limited to users who have access to the target machine and can install or otherwise execute the extension. Exploitation would involve manipulating file paths passed to the preview functionality to access arbitrary files within the system's file space.

Generated by OpenCVE AI on May 12, 2026 at 20:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Live Preview extension to the latest version once the vendor releases a fix for the path-traversal flaw.
  • If an update is unavailable, uninstall or disable the Live Preview extension to eliminate the attack vector until a patch is released.
  • Configure the Visual Studio Code workspace settings to restrict extension permissions, ensuring that extensions cannot read or write files outside the designated project directory.

Generated by OpenCVE AI on May 12, 2026 at 20:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 17:30:00 +0000

Type Values Removed Values Added
Description Relative path traversal in Visual Studio Code allows an unauthorized attacker to disclose information locally.
Title Visual Studio Code Information Disclosure Vulnerability
First Time appeared Microsoft
Microsoft visual Studio Code
Weaknesses CWE-22
CWE-23
CPEs cpe:2.3:a:microsoft:visual_studio_code:*:*:*:*:*:livepreview:*:*
Vendors & Products Microsoft
Microsoft visual Studio Code
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C'}

Subscriptions

Microsoft Visual Studio Code
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-05-12T17:53:55.840Z

Reserved: 2026-04-21T22:14:12.923Z

Link: CVE-2026-41612

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-12T18:17:23.113

Modified: 2026-05-12T18:17:23.113

Link: CVE-2026-41612

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T23:45:25Z

Weaknesses