Description
Inclusion of functionality from untrusted control sphere in Visual Studio Code allows an unauthorized attacker to elevate privileges locally.
Published: 2026-06-09
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from the MSSQL Extension for Visual Studio Code including functionality that originates from an untrusted control sphere, allowing an unauthorized attacker to elevate their privileges locally. This elevation can enable the attacker to execute arbitrary code or make unauthorized modifications within the user’s environment, representing a significant compromise of system integrity. The weakness aligns with CWE-829 and CWE-94, indicating improper control usage and potential code injection mechanisms.

Affected Systems

Microsoft Visual Studio Code MSSQL Extension is affected. No specific version range is provided, so all installations using this extension are potentially vulnerable until a fix is applied.

Risk and Exploitability

The CVSS score of 7.8 classifies the issue as high severity, and although the EPSS score is not available, the lack of listing in the CISA KEV catalog means no publicly disclosed active exploitation has been reported. The likely attack vector is provided by the extension’s ability to execute code, inferred to require the extension to be installed and run within the Visual Studio Code environment. In the absence of exploitation data, the risk remains high, especially for systems that rely on the MSSQL Extension without additional access controls.

Generated by OpenCVE AI on June 9, 2026 at 19:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest update for Visual Studio Code that addresses the MSSQL Extension fix, as released by Microsoft.
  • Verify that the update includes the privilege escalation protection by reviewing the Microsoft Security Advisory linked in the reference above.
  • If the extension is not essential, consider disabling or uninstalling it until the update is applied to eliminate the attack surface.

Generated by OpenCVE AI on June 9, 2026 at 19:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 15 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft visual Studio Code
CPEs cpe:2.3:a:microsoft:visual_studio_code:*:*:*:*:*:*:*:*
Vendors & Products Microsoft visual Studio Code

Wed, 10 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description Inclusion of functionality from untrusted control sphere in Visual Studio Code allows an unauthorized attacker to elevate privileges locally.
Title Visual Studio Code MSSQL Extension Remote Code Execution Vulnerability
First Time appeared Microsoft
Microsoft visual Studio Code Mssql Extension
Weaknesses CWE-829
CWE-94
CPEs cpe:2.3:a:microsoft:visual_studio_code_mssql_extension:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft visual Studio Code Mssql Extension
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C'}

Subscriptions

Microsoft Visual Studio Code Visual Studio Code Mssql Extension
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-06-26T19:41:07.329Z

Reserved: 2026-05-18T23:53:33.897Z

Link: CVE-2026-47292

cve-icon Vulnrichment

Updated: 2026-06-10T10:25:51.007Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-09T17:17:34.800

Modified: 2026-06-15T14:16:37.087

Link: CVE-2026-47292

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T11:22:28Z

Weaknesses
  • CWE-829

    Inclusion of Functionality from Untrusted Control Sphere

  • CWE-94

    Improper Control of Generation of Code ('Code Injection')