Microsoft Fixes Visual Studio Code Path Traversal Information Disclosure
Microsoft disclosed and patched CVE-2026-41612, an information disclosure flaw in Visual Studio Code caused by relative path traversal and path traversal issues. The vulnerability is mapped to CWE-23 and CWE-22 and could allow an unauthorized local attacker to disclose file system information, potentially exposing sensitive data on affected systems.
Microsoft assigned the bug a CVSS 3.1 score of 5.5 and said exploitation requires user interaction. The company rated the issue as having high confidentiality impact with no integrity or availability impact, assessed exploitation as less likely, and reported that the flaw was not publicly disclosed and not exploited in the wild at the time of publication. An official security fix is available through Microsoft's update guidance.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
1 event from the most recent confirmed update back to the earliest known activity.
Microsoft discloses CVE-2026-41612 and makes a fix available
Microsoft published CVE-2026-41612, an information disclosure vulnerability in Visual Studio Code involving relative path traversal and path traversal that could let a local unauthorized attacker disclose file system information with user interaction. Microsoft said the issue was not publicly disclosed or exploited at the time of publication and indicated that an official fix was available.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
1 reference tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Microsoft Fixes Visual Studio Code Elevation of Privilege Flaws
Microsoft disclosed and patched multiple **elevation of privilege** vulnerabilities affecting **Visual Studio Code** and its **JS Debug Extension**, including `CVE-2025-24039`, `CVE-2025-24042`, and `CVE-2026-41613`. The latest issue, `CVE-2026-41613`, is rated **Important** with a **CVSS 3.1 score of 8.8** and is described as a **session fixation** flaw mapped to `CWE-384` and `CWE-78`. Microsoft said the vulnerability affects Visual Studio Code itself, while the earlier 2025 advisories cover separate privilege-escalation bugs in the core product and the JS Debug Extension. According to Microsoft, exploitation of `CVE-2026-41613` requires **user interaction**, specifically convincing a target to open a malicious file in VS Code, and could allow an attacker to obtain the permissions of the **MCP Server’s managed identity**. Microsoft said the flaw was **not publicly disclosed** and **not exploited** at the time of release, assessed exploitation as **less likely**, and made a fix available; the issue was credited to **Elad Luz of Oasis Security** through coordinated disclosure.
May 25, 2026
Microsoft disclosed elevation-of-privilege flaws in Visual Studio and Windows SDK
Microsoft published Security Update Guide entries for multiple **elevation-of-privilege** vulnerabilities affecting developer tooling, including **Visual Studio** and the **Windows SDK**. The referenced issues include `CVE-2025-55240` and `CVE-2024-49044` in Visual Studio, as well as `CVE-2025-47962` in the Windows SDK, indicating that software used to build and maintain applications was impacted rather than a single end-user product. The disclosures appeared across both vulnerability and advisory pages in Microsoft's update portal, with `CVE-2024-49044` listed in both formats. While the entries provided no public synopsis in the referenced material, the classification of all three flaws as elevation-of-privilege bugs signals a risk that an attacker could gain higher permissions through affected development environments, making patch review and remediation in enterprise developer workstations a priority.
Jun 23, 2026
Critical Microsoft Excel Information Disclosure Vulnerability (CVE-2026-26144)
Microsoft published guidance for **CVE-2026-26144**, a **Critical** *Microsoft Excel* **information disclosure** vulnerability tracked in the Microsoft Security Update Guide. Microsoft maps the issue to **CWE-79** (improper neutralization of input during web page generation / XSS) and provides CVSS v3.1 scoring indicating network-reachable exploitation conditions with high confidentiality impact (vector `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N`). The advisory is available via MSRC’s Update Guide endpoints (including RSS, PowerShell, API, and CSAF links) to support patch/vulnerability management workflows. No additional incident context, exploitation details, or third-party reporting is included in the provided material beyond the MSRC advisory metadata and scoring.
Mar 21, 2026