MEDIUM 6.5

CVE-2026-47287: Visual Studio Code Path Traversal – File Tampering Vulnerability

Visual Studio Code contains a path traversal vulnerability that could allow an attacker to modify files on your system through a malicious link or network request. The vulnerability requires user interaction—such as clicking a link or opening a file—but does not require authentication. An attacker cannot read sensitive data through this vulnerability, but they can alter or corrupt files if they successfully exploit it.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Weaknesses (CWE)
CWE-23
Affected products
1 configuration(s)
Published / Modified
2026-06-09 / 2026-06-17

NVD description (verbatim)

Relative path traversal in Visual Studio Code allows an unauthorized attacker to perform tampering over a network.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-47287 is a relative path traversal vulnerability (CWE-23) in Visual Studio Code that enables unauthorized file tampering over network vectors. The vulnerability has a CVSS 3.1 score of 6.5 (Medium severity) with the following characteristics: network-based attack vector, low complexity, no privilege requirements, and user interaction needed. The impact is limited to integrity—attackers cannot achieve confidentiality or availability breaches. The vulnerability stems from insufficient validation of relative path constructs, which can be exploited to write or modify files outside the intended directory scope.

Business impact

For development teams and organizations that rely on Visual Studio Code, this vulnerability poses a moderate but concrete risk of supply chain and development environment contamination. A successful attack could result in injection of malicious code into development projects, compromised build artifacts, or corruption of configuration files. The requirement for user interaction—such as opening a specially crafted project or following an attacker-supplied link—provides a window for social engineering attacks. Teams with shared development environments or CI/CD pipelines integrated with untrusted project sources face elevated exposure.

Affected systems

The vulnerability affects Visual Studio Code across all platforms where it is deployed. The CVSS vector specifies no special software or hardware requirements beyond the application itself. Users running any version of Visual Studio Code that does not include the patch are potentially affected. The vulnerability is network-accessible, meaning exploitation does not require local system access.

Exploitability

Exploitability is moderate. An attacker must craft a malicious project, file, or network request that triggers Visual Studio Code's path traversal logic, and must convince a user to interact with it—for example, by opening a project or clicking a link. No zero-click exploitation is possible; user interaction is mandatory. The attack does not require prior authentication or elevated privileges. Given that developers commonly clone repositories and open projects from varied sources, the social engineering component is plausible in real-world scenarios.

Remediation

Users should update Visual Studio Code to the latest patched version as specified in Microsoft's advisory. Verify the exact patch version against the official Microsoft Visual Studio Code release notes, as version numbers may vary by update channel. No workarounds are documented at this time. Organizations should prioritize patching development machines and shared development servers.

Patch guidance

Check Microsoft's official Visual Studio Code security advisory and release notes for the specific patched version addressing CVE-2026-47287. Visual Studio Code typically offers automatic updates; ensure this feature is enabled. If you manage multiple instances, verify the patch version in each environment. Test the update in a non-critical environment first if your development workflow is tightly integrated with Visual Studio Code extensions or configurations.

Detection guidance

Monitor for suspicious file creation or modification activity in directories where Visual Studio Code is installed or where projects are stored. Look for unexpected relative path constructs in project files, build scripts, or configuration data. Audit project directories for files with modification timestamps that predate user actions. Check Visual Studio Code logs for errors or warnings related to file access. Network detection is limited without deep packet inspection, but monitor for unusual HTTP/HTTPS traffic to development machines from external sources combined with subsequent local file activity.

Why prioritize this

While this vulnerability requires user interaction and does not affect confidentiality, the integrity impact combined with network exploitability and the ubiquity of Visual Studio Code in development environments warrants timely patching. Development machines are often used to build and sign artifacts that propagate downstream; compromising them can affect the security posture of entire products. The moderate CVSS score should not be interpreted as low urgency for development-focused organizations.

Risk score, explained

The CVSS 3.1 score of 6.5 (Medium) reflects: network-based attack surface (AV:N), low attack complexity requiring no special conditions (AC:L), no requirement for authentication or privilege escalation (PR:N/UI:R), scoped to the attacked component (S:U), high integrity impact (I:H), and no confidentiality or availability impact (C:N/A:N). The Medium severity is appropriate because integrity compromise of development files is serious but mitigated by the requirement for user interaction and the absence of confidentiality or availability effects.

Frequently asked questions

Does this vulnerability allow an attacker to steal my source code or credentials?

No. The vulnerability affects only file integrity—an attacker can modify or create files, but cannot read existing files or extract sensitive data like credentials or source code from your system.

Can I be exploited if I simply have Visual Studio Code installed but do not open suspicious projects?

Exploitation requires user interaction such as opening a file or project. Simply having the application installed is not sufficient for an attacker to exploit this vulnerability remotely.

What should development teams do immediately?

Update Visual Studio Code to the patched version as soon as possible, especially on machines that build or sign artifacts. Review recent projects opened from untrusted sources for unexpected modifications. Consider using Software Composition Analysis (SCA) tools to detect anomalous changes in dependencies or build outputs.

Is this vulnerability currently being exploited in the wild?

As of the publication date, this vulnerability has not been added to the CISA Known Exploited Vulnerabilities (KEV) catalog, meaning there is no confirmed active exploitation. However, organizations should not rely on this status as a reason to delay patching.

This analysis is based on publicly disclosed vulnerability data as of June 2026. Patch version numbers and remediation steps should be verified against the official Microsoft Visual Studio Code security advisory before implementation. SEC.co makes no warranty as to the completeness or accuracy of threat intelligence derived from third-party sources. Consult with your security team and vendor documentation for environment-specific guidance. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).