Microsoft Visual Studio Code — known CVE vulnerabilities
Every CVE whose affected-product data names Microsoft Visual Studio Code, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (63)
CVE-2026-47281 — CVSS 9.6 (critical): Improper input validation in Visual Studio Code allows an unauthorized attacker to elevate privileges over a network.
CVE-2026-41613 — CVSS 8.8 (high): Session fixation in Visual Studio Code allows an unauthorized attacker to elevate privileges over a network.
CVE-2025-55319 — CVSS 8.8 (high): Ai command injection in Agentic AI and Visual Studio Code allows an unauthorized attacker to execute code over a network.
CVE-2024-43488 — CVSS 8.8 (high): Missing authentication for critical function in Visual Studio Code extension for Arduino allows an unauthenticated attacker to perform…
CVE-2020-1416 — CVSS 8.8 (high): An elevation of privilege vulnerability exists in Visual Studio and Visual Studio Code when they load software dependencies, aka 'Visual…
CVE-2026-41109 — CVSS 8.8 (high): Improper neutralization of special elements in output used by a downstream component ('injection') in GitHub Copilot and Visual Studio…
CVE-2026-21518 — CVSS 8.8 (high): Improper neutralization of special elements used in a command ('command injection') in GitHub Copilot and Visual Studio Code allows an…
CVE-2026-45482 — CVSS 8.4 (high): Initialization of a resource with an insecure default in GitHub Copilot and Visual Studio Code allows an unauthorized attacker to disclose…
CVE-2025-64660 — CVSS 8.0 (high): Improper access control in GitHub Copilot and Visual Studio Code allows an authorized attacker to execute code over a network.
CVE-2026-21523 — CVSS 8.0 (high): Time-of-check time-of-use (toctou) race condition in GitHub Copilot and Visual Studio allows an authorized attacker to execute code over a…
CVE-2019-0728 — CVSS 7.8 (high): A remote code execution vulnerability exists in Visual Studio Code when it process environment variables after opening a project, aka…
CVE-2019-1414 — CVSS 7.8 (high): An elevation of privilege vulnerability exists in Visual Studio Code when it exposes a debug listener to users of a local computer, aka…
CVE-2020-0604 — CVSS 7.8 (high): A remote code execution vulnerability exists in Visual Studio Code when it process environment variables after opening a project. An…
CVE-2020-16881 — CVSS 7.8 (high): <p>A remote code execution vulnerability exists in Visual Studio Code when a user is tricked into opening a malicious 'package.json' file…
CVE-2020-17023 — CVSS 7.8 (high): <p>A remote code execution vulnerability exists in Visual Studio Code when a user is tricked into opening a malicious 'package.json' file…
CVE-2018-0597 — CVSS 7.8 (high): Untrusted search path vulnerability in the installer of Visual Studio Code allows an attacker to gain privileges via a Trojan horse DLL in…
CVE-2026-41611 — CVSS 7.8 (high): Improper neutralization of script-related html tags in a web page (basic xss) in Visual Studio Code allows an unauthorized attacker to…
CVE-2026-47292 — CVSS 7.8 (high): Inclusion of functionality from untrusted control sphere in Visual Studio Code allows an unauthorized attacker to elevate privileges…
CVE-2026-40376 — CVSS 7.5 (high): Improper input validation in Visual Studio Code allows an unauthorized attacker to elevate privileges over a network.
CVE-2026-48569 — CVSS 7.1 (high): Improper input validation in Visual Studio Code allows an unauthorized attacker to bypass a security feature locally.
CVE-2025-21264 — CVSS 7.1 (high): Files or directories accessible to external parties in Visual Studio Code allows an unauthorized attacker to bypass a security feature…
CVE-2020-16977 — CVSS 7.0 (high): <p>A remote code execution vulnerability exists in Visual Studio Code when the Python extension loads a Jupyter notebook file. An attacker…
CVE-2025-32726 — CVSS 6.8 (medium): Improper access control in Visual Studio Code allows an authorized attacker to elevate privileges locally.
CVE-2026-47284 — CVSS 6.5 (medium): Exposure of sensitive information to an unauthorized actor in Visual Studio Code allows an unauthorized attacker to disclose information…
CVE-2026-47287 — CVSS 6.5 (medium): Relative path traversal in Visual Studio Code allows an unauthorized attacker to perform tampering over a network.
CVE-2026-41610 — CVSS 6.3 (medium): Improper neutralization of input during web page generation ('cross-site scripting') in Visual Studio Code allows an unauthorized attacker…
CVE-2025-62453 — CVSS 5.0 (medium): Improper validation of generative ai output in GitHub Copilot and Visual Studio Code allows an authorized attacker to bypass a security…