Description
Exposure of sensitive information to an unauthorized actor in Visual Studio Code allows an unauthorized attacker to disclose information over a network.
Published: 2026-06-09
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in Visual Studio Code allows an unauthorized actor to read sensitive information that the editor may have in memory or send over the network. The flaw is classified as an information disclosure risk, as described by CWE‑200. The impact is that confidential code, files or configuration data could leak to an observer of the network traffic or local connection, potentially exposing intellectual property or credentials.

Affected Systems

Microsoft Visual Studio Code is affected. No specific version range is listed in the CNA data, so all installed instances of Visual Studio Code that have not yet applied Microsoft’s hotfix are potentially vulnerable. Checking the Microsoft Security Response Center or the update guide linked in the references will provide the exact version numbers requiring the update.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate severity. EPSS data is not available, and the vulnerability is not tracked in the CISA KEV catalog, suggesting that no widespread exploitation is confirmed yet. Based on the description, the likely attack vector is a network connection used by VS Code – for example, a local or remote debugging session – that could expose sensitive data if the connection is not properly protected. An attacker who can reach the VS Code process over the network could exploit the flaw and capture the disclosed information.

Generated by OpenCVE AI on June 9, 2026 at 19:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Microsoft patch or install the latest version of Visual Studio Code that contains the fix.
  • Disable or restrict VS Code network features that expose data, such as remote debugging or extension host networking, when not needed.
  • Configure firewall or network policies to block unsolicited connections to VS Code’s debugging ports and monitor traffic for unauthorized data transfer.

Generated by OpenCVE AI on June 9, 2026 at 19:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description Exposure of sensitive information to an unauthorized actor in Visual Studio Code allows an unauthorized attacker to disclose information over a network.
Title Visual Studio Code Information Disclosure Vulnerability
First Time appeared Microsoft
Microsoft visual Studio Code
Weaknesses CWE-200
CPEs cpe:2.3:a:microsoft:visual_studio_code:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft visual Studio Code
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C'}

Subscriptions

Microsoft Visual Studio Code
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-06-09T21:50:59.096Z

Reserved: 2026-05-18T23:53:33.896Z

Link: CVE-2026-47284

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-09T17:17:34.077

Modified: 2026-06-09T19:32:51.440

Link: CVE-2026-47284

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T22:30:14Z

Weaknesses