CVE-2026-41610: Visual Studio Code Security Feature Bypass Vulnerability

Overview

Severity

Medium (CVSS 6.3)

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N/E:U/RL:O/RC:C

Category

Security Feature Bypass

Exploit Status

Not Exploited

Exploitation Likelihood

Less Likely

Patch Tuesday

2026-May

Released

2026-05-12

Description

Improper neutralization of input during web page generation ('cross-site scripting') in Visual Studio Code allows an unauthorized attacker to bypass a security feature locally.

FAQ

According to the CVSS metric, a successful exploitation could lead to a scope change (S:C). What does this mean for this vulnerability? An exploited vulnerability can affect resources beyond the security scope managed by the security authority of the vulnerable component. In this case, the vulnerable component and the impacted component are different and managed by different security authorities. According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? Exploitation would require a user to open or view a maliciously crafted notebook so that the affected content is rendered.

Affected Products (1)

Developer Tools

• Visual Studio Code

Security Updates (1)

• Release Notes

Acknowledgments

<a href="https://www.linkedin.com/in/tarek-nakkouch/">Tarek Nakkouch</a>

Revision History

• 2026-05-12: Information published.