Description
Relative path traversal in Visual Studio Code allows an unauthorized attacker to perform tampering over a network.
Published: 2026-06-09
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Microsoft Visual Studio Code is vulnerable to a relative path traversal flaw that allows an unauthorized attacker to tamper with files over a network. The weakness, identified as CWE-23, permits modification of code or configuration files when a malicious actor can influence request paths. The result is the potential for code injection, alteration of application behavior, or escalation of privileges within the development environment.

Affected Systems

The flaw impacts Microsoft Visual Studio Code on all platforms where it is installed. No specific version range is indicated, so any installation of Visual Studio Code may be susceptible until the vendor releases a fixed build.

Risk and Exploitability

The CVSS score of 6.5 indicates a medium severity, and although an EPSS score is not available, the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is a remote network connection that an attacker can manipulate, exploiting the relative path traversal to modify files. Given the moderate severity and lack of known exploitation stats, the risk remains significant for any environment that accepts external connections to VS Code or runs untrusted code.

Generated by OpenCVE AI on June 9, 2026 at 19:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Visual Studio Code to the latest version that includes the fix for CVE-2026-47287.
  • Restrict network connectivity for Visual Studio Code or run it in a sandboxed environment to limit unauthorized remote access.
  • Disable or block untrusted extensions and enforce least‑privilege extension permissions.
  • Configure the editor to use read‑only mode for critical files and monitor the file system for unexpected changes.

Generated by OpenCVE AI on June 9, 2026 at 19:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description Relative path traversal in Visual Studio Code allows an unauthorized attacker to perform tampering over a network.
Title Visual Studio Code Tampering Vulnerability
First Time appeared Microsoft
Microsoft visual Studio Code
Weaknesses CWE-23
CPEs cpe:2.3:a:microsoft:visual_studio_code:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft visual Studio Code
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C'}

Subscriptions

Microsoft Visual Studio Code
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-06-10T17:53:47.785Z

Reserved: 2026-05-18T23:53:33.896Z

Link: CVE-2026-47287

cve-icon Vulnrichment

Updated: 2026-06-09T18:04:55.880Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-09T17:17:34.193

Modified: 2026-06-09T19:32:51.440

Link: CVE-2026-47287

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T22:30:14Z

Weaknesses