Medium

Relative Path Traversal Information Disclosure in Visual Studio Code

IdentifiersCVE-2026-41612CWE-23· Relative Path Traversal

CVE-2026-41612 is an information disclosure vulnerability in Visual Studio Code caused by relative path traversal. Microsoft classified the issue as relative path traversal and also mapped it to path traversal. Successful exploitation allows an unauthorized attacker to disclose local file system information, specifically file path information, by triggering a payload within the application. The available information does not identify the exact vulnerable function or code path.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows unauthorized disclosure of local file system information, specifically file path information. Microsoft assessed the confidentiality impact as High, with no impact to integrity or availability. The issue is local in attack vector and does not by itself provide code execution or privilege escalation based on the available information.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce exposure by limiting use of untrusted content or workflows that could cause a user to trigger the payload in Visual Studio Code, and restrict local opportunities for attackers to influence file paths or workspace content presented to users. Because exploitation requires user interaction and is local, minimizing user-triggered handling of untrusted project content may reduce risk until the official fix is deployed.

Remediation

Patch, then assume compromise.

Apply the official Microsoft fix for CVE-2026-41612 in the patched version of Visual Studio Code. Microsoft indicated that an official vendor fix was available at publication time.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

Microsoft CorporationLive Previewapplication

Microsoft CorporationVisual Studio Codeapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

2 SOURCESView more in app

cyberthroneNews

May 13, 2026

Microsoft Patch Tuesday - May 2026 - TheCyberThrone

A Visual Studio Code vulnerability included in a cluster of fixes affecting VSCode, covering issues such as elevation of privilege, information disclosure, remote code execution, and security feature bypass. The specific flaw type for this CVE is not individually identified in the content.

msrc microsoftNews

May 12, 2026

CVE-2026-41612 - Security Update Guide - Microsoft - Visual Studio Code Information Disclosure Vulnerability

An information disclosure vulnerability in Visual Studio Code caused by relative path traversal that can allow unauthorized local disclosure of file system information, specifically file path information.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-41612

NVD

nvd.nist.gov/vuln/detail/CVE-2026-41612

MITRE CWE · CWE-23

Relative Path Traversal

Vendor Advisory

msrc.microsoft.com/update-guide/vulnerability/CVE-2026-41612