CVE-2026-41613
Microsoft · Visual Studio Code
A session fixation and OS command injection vulnerability in Microsoft Visual Studio Code allows remote attackers to elevate privileges via network-based exploitation.
Executive summary
A critical session fixation and OS command injection flaw in Microsoft Visual Studio Code permits unauthorized attackers to achieve privilege escalation over a network.
Vulnerability
This vulnerability combines session fixation (CWE-384) and OS command injection (CWE-78), allowing an attacker to manipulate session states and execute arbitrary commands on the underlying host. The vulnerability requires user interaction (UI:R) but does not require prior authentication (PR:N).
Business impact
The ability to execute arbitrary OS commands leads to a total compromise of the affected system, including full unauthorized access and potential lateral movement within the network. The CVSS score of 8.8 reflects the high potential for system-wide impact, making this a critical priority for security teams.
Remediation
Immediate Action: Update Microsoft Visual Studio Code to version 1.119.1 or later as soon as the update becomes available via the vendor's release channel.
Proactive Monitoring: Monitor system and process logs for anomalous command execution or unexpected child processes originating from the Visual Studio Code application.
Compensating Controls: Restrict network access to development environments and ensure that Visual Studio Code instances are executed with the minimum necessary system privileges to limit the potential impact of command injection.
Exploitation status
Public Exploit Available: No (exploit_available: false)
Analyst recommendation
The criticality of this vulnerability cannot be overstated, as it provides a path for full remote code execution and privilege escalation. Administrators must ensure all Visual Studio Code installations are updated to the secure version immediately upon release to mitigate the risk of system-wide compromise.