CVE-2026-47292: Visual Studio Code MSSQL Extension Remote Code Execution Vulnerability

Overview

Severity

High (CVSS 7.8)

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

Category

Elevation of Privilege

Exploit Status

Not Exploited

Exploitation Likelihood

Less Likely

Patch Tuesday

2026-Jun

Released

2026-06-09

Description

Inclusion of functionality from untrusted control sphere in Visual Studio Code allows an unauthorized attacker to elevate privileges locally.

FAQ

What privileges could be gained by an attacker who successfully exploited this vulnerability? An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? The user would have be enticed to open a malicious file in vscode. Users should never open anything that they do not know or trust to be safe.

Affected Products (1)

Developer Tools

• Visual Studio Code - MSSQL Extension

Security Updates (1)

• Release Notes

Acknowledgments

Bankde Eakasit with <a href="https://www.secure-d.tech/">Secure D Center</a>

Revision History

• 2026-06-09: Information published.