CVE-2025-26646

External control of file name or path in .NET, Visual Studio, and Build Tools for Visual Studio allows an authorized attacker to perform spoofing over a network.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
8 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
microsoftCNA
8 HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 9%
VendorProductVersion
microsoftbuild_tools
𝑥
< 17.13.7
microsoftvisual_studio_2022
17.8.0 ≤
𝑥
< 17.8.21
microsoftvisual_studio_2022
17.10.0 ≤
𝑥
< 17.10.15
microsoftvisual_studio_2022
17.12.0 ≤
𝑥
< 17.12.8
microsoftvisual_studio_2022
17.13.0 ≤
𝑥
< 17.13.7
microsoft.net
9.0.0 ≤
𝑥
< 9.0.5
microsoft.net
8.0.0 ≤
𝑥
< 8.0.16
𝑥
= Vulnerable software versions
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
dotnet6
questing
dne
plucky
dne
oracular
dne
noble
dne
jammy
deferred
focal
dne
bionic
dne
xenial
dne
trusty
dne
dotnet7
questing
dne
plucky
dne
oracular
dne
noble
dne
jammy
ignored
focal
dne
bionic
dne
xenial
dne
trusty
dne
dotnet8
questing
Fixed 8.0.116-8.0.16-0ubuntu1
released
plucky
Fixed 8.0.116-8.0.16-0ubuntu1~25.04.1
released
oracular
Fixed 8.0.116-8.0.16-0ubuntu1~24.10.1
released
noble
Fixed 8.0.116-8.0.16-0ubuntu1~24.04.1
released
jammy
Fixed 8.0.116-8.0.16-0ubuntu1~22.04.1
released
focal
dne
bionic
dne
xenial
dne
trusty
dne
dotnet9
questing
Fixed 9.0.106-9.0.5-0ubuntu1
released
plucky
Fixed 9.0.106-9.0.5-0ubuntu1~25.04.1
released
oracular
Fixed 9.0.106-9.0.5-0ubuntu1~24.10.1
released
noble
dne
jammy
dne
focal
dne
bionic
dne
xenial
dne
trusty
dne
Common Weakness Enumeration
References
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-26646