CVE alerts for
VS Code
CVEye scans every new CVE and notifies your team the moment VS Code is affected — before attackers can exploit it.
Recent VS Code CVEs
Nanobot prior to version 0.2.1 contains a server-side request forgery vulnerability in the Microsoft Teams channel handler that allows remote attackers to exfiltrate Bot Framework bearer tokens by supplying a forged activity with an attacker-controlled serviceUrl value. Attackers can poison the stored conversation reference by sending a crafted inbound activity to the Teams webhook, causing subsequent bot replies to transmit token-bearing Authorization header requests to an attacker-controlled host.
Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.
StrongDM Desktop Application before 23.74.0 (Desktop Client before 53.77.0) on Microsoft Windows stores authentication state, including a JSON Web Token and asymmetric key material, in cleartext in a per-user state file located at C:\Users\<username>\.sdm\state.kv. The file is protected only by default user-level NTFS permissions. Exploitation requires local read access to the affected user's profile directory and additional deployment and execution conditions on the target host. The condition was reported through coordinated disclosure by Hope Walker (SpecterOps).
Never miss a VS Code vulnerability
CVEye monitors VS Code and your entire stack 24/7, sending instant alerts via email, Slack, Discord, or webhook the moment a new CVE is published.
7-day free trial · No credit card required