Description
Exposure of sensitive information to an unauthorized actor in Visual Studio Code allows an unauthorized attacker to disclose information over a network.
Published: 2026-06-09
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in Visual Studio Code allows an unauthorized actor to read sensitive information that the editor may have in memory or send over the network. The flaw is classified as an information disclosure risk, as described by CWE-200. The impact is that confidential code, files or configuration data could leak to an observer of the network traffic or local connection, potentially exposing intellectual property or credentials.

Affected Systems

Microsoft Visual Studio Code is affected. No specific version range is listed in the CNA data, so all installed instances of Visual Studio Code that have not yet applied Microsoft’s hotfix are potentially vulnerable. Checking the Microsoft Security Response Center or the update guide linked in the references will provide the exact version numbers requiring the update.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate severity. The EPSS score is < 1%, indicating a low likelihood of exploitation. The vulnerability is not tracked in the CISA KEV catalog, suggesting that no widespread exploitation is confirmed yet. Based on the description, the likely attack vector is a network connection used by VS Code – for example, a local or remote debugging session – that could expose sensitive data if the connection is not properly protected. An attacker who can reach the VS Code process over the network could exploit the flaw and capture the disclosed information.

Generated by OpenCVE AI on June 18, 2026 at 01:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Microsoft patch or install the latest version of Visual Studio Code that contains the fix.
  • Disable or restrict VS Code network features that expose data, such as remote debugging or extension host networking, when not needed.
  • Configure firewall or network policies to block unsolicited connections to VS Code’s debugging ports and monitor traffic for unauthorized data transfer.

Generated by OpenCVE AI on June 18, 2026 at 01:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 15 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo

Wed, 10 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description Exposure of sensitive information to an unauthorized actor in Visual Studio Code allows an unauthorized attacker to disclose information over a network.
Title Visual Studio Code Information Disclosure Vulnerability
First Time appeared Microsoft
Microsoft visual Studio Code
Weaknesses CWE-200
CPEs cpe:2.3:a:microsoft:visual_studio_code:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft visual Studio Code
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C'}

Subscriptions

Microsoft Visual Studio Code
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-06-26T19:41:49.417Z

Reserved: 2026-05-18T23:53:33.896Z

Link: CVE-2026-47284

cve-icon Vulnrichment

Updated: 2026-06-10T12:38:12.688Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-09T17:17:34.077

Modified: 2026-06-15T14:15:15.607

Link: CVE-2026-47284

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T02:00:05Z

Weaknesses