Description
Inclusion of functionality from untrusted control sphere in Visual Studio Code allows an unauthorized attacker to elevate privileges locally.
Published: 2026-06-09
Score: 7.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from the MSSQL Extension for Visual Studio Code including functionality that originates from an untrusted control sphere, allowing an unauthorized attacker to elevate their privileges locally. This elevation can enable the attacker to execute arbitrary code or make unauthorized modifications within the user’s environment, representing a significant compromise of system integrity. The weakness aligns with CWE-829 and CWE-94, indicating improper control usage and potential code injection mechanisms.

Affected Systems

Microsoft Visual Studio Code MSSQL Extension is affected. No specific version range is provided, so all installations using this extension are potentially vulnerable until a fix is applied.

Risk and Exploitability

The CVSS score of 7.8 classifies the issue as high severity, and although the EPSS score is not available, the lack of listing in the CISA KEV catalog means no publicly disclosed active exploitation has been reported. The likely attack vector is provided by the extension’s ability to execute code, inferred to require the extension to be installed and run within the Visual Studio Code environment. In the absence of exploitation data, the risk remains high, especially for systems that rely on the MSSQL Extension without additional access controls.

Generated by OpenCVE AI on June 9, 2026 at 19:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest update for Visual Studio Code that addresses the MSSQL Extension fix, as released by Microsoft.
  • Verify that the update includes the privilege escalation protection by reviewing the Microsoft Security Advisory linked in the reference above.
  • If the extension is not essential, consider disabling or uninstalling it until the update is applied to eliminate the attack surface.

Generated by OpenCVE AI on June 9, 2026 at 19:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description Inclusion of functionality from untrusted control sphere in Visual Studio Code allows an unauthorized attacker to elevate privileges locally.
Title Visual Studio Code MSSQL Extension Remote Code Execution Vulnerability
First Time appeared Microsoft
Microsoft visual Studio Code Mssql Extension
Weaknesses CWE-829
CWE-94
CPEs cpe:2.3:a:microsoft:visual_studio_code_mssql_extension:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft visual Studio Code Mssql Extension
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C'}

Subscriptions

Microsoft Visual Studio Code Mssql Extension
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-06-09T17:48:39.860Z

Reserved: 2026-05-18T23:53:33.897Z

Link: CVE-2026-47292

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-09T17:17:34.800

Modified: 2026-06-09T19:32:51.440

Link: CVE-2026-47292

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T20:00:19Z

Weaknesses