{"id":10741,"date":"2026-02-18T10:03:42","date_gmt":"2026-02-18T10:03:42","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2026\/02\/18\/microsoft-vs-code-extension-with-11m-downloads-expose-developers-to-one-click-xss-attacks\/"},"modified":"2026-02-18T10:03:42","modified_gmt":"2026-02-18T10:03:42","slug":"microsoft-vs-code-extension-with-11m-downloads-expose-developers-to-one-click-xss-attacks","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2026\/02\/18\/microsoft-vs-code-extension-with-11m-downloads-expose-developers-to-one-click-xss-attacks\/","title":{"rendered":"Microsoft VS Code Extension with 11M Downloads Expose Developers to One-Click XSS Attacks"},"content":{"rendered":"<p>    Microsoft VS Code Extension with 11M Downloads Expose Developers to One-Click XSS Attacks<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n    <!-- no image --><br \/>\n \t<BR><br \/>\n<BR><\/BR><\/p>\n<div>\n<p>A critical vulnerability discovered in Microsoft\u2019s popular\u00a0Visual Studio Code (VS Code) Live Preview\u00a0extension, downloaded over 11 million times, exposes developers to\u00a0<a href=\"https:\/\/cybersecuritynews.com\/citrix-netscaler-adc-and-gateway-vulnerability\/\" target=\"_blank\" rel=\"noreferrer noopener\">one-click cross-site scripting (XSS)<\/a>\u00a0and\u00a0local file exfiltration attacks.<\/p>\n<p>The flaw, now patched, was discovered by researchers\u00a0Nir Zadok\u00a0and\u00a0Moshe Siman Tov Bustan\u00a0from\u00a0OX Security. The issue affects all versions of the Live Preview extension up to\u00a00.4.16.<\/p>\n<p>The vulnerability arises from improper handling of untrusted input in the local development server that Live Preview runs on a developer\u2019s machine.<\/p>\n<p>When exploited, a malicious website could send\u00a0unauthenticated HTTP requests\u00a0to this locally hosted server, allowing attackers to enumerate files on the developer\u2019s root directory.<\/p>\n<p>By <a href=\"https:\/\/cybersecuritynews.com\/new-magecart-attack-inject-malicious-javascript\/\" target=\"_blank\" rel=\"noreferrer noopener\">injecting a crafted JavaScript payload<\/a>, threat actors could exploit a reflected XSS vulnerability within Live Preview\u2019s file handling logic.<\/p>\n<p>This flaw would allow them to access sensitive local files, such as environment configuration files (.env), API keys, or source code, and\u00a0exfiltrate this data\u00a0to an attacker-controlled server.<\/p>\n<p><a href=\"https:\/\/www.ox.security\/blog\/xssinlivepreview\/?utm_source=cybersecuritynews\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">According to OX Security<\/a>, the vulnerability was responsibly disclosed to Microsoft on\u00a0August 7, 2025. Initially, Microsoft classified it as a low-severity issue, noting that it requires specific conditions and user interaction.<\/p>\n<figure class=\"wp-block-embed is-type-video is-provider-youtube wp-block-embed-youtube wp-embed-aspect-16-9 wp-has-aspect-ratio\">\n<div class=\"wp-block-embed__wrapper\">\n<iframe loading=\"lazy\" title=\"XSS in Live Preview, Microsoft VS Code Extension with 11M Downloads\" width=\"696\" height=\"392\" src=\"https:\/\/www.youtube.com\/embed\/wQg6e_C82nU?feature=oembed\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" referrerpolicy=\"strict-origin-when-cross-origin\" allowfullscreen><\/iframe>\n<\/div>\n<\/figure>\n<p>However, a\u00a0silent patch\u00a0was later released on\u00a0September 11, 2025, in version\u00a00.4.16, addressing the XSS issue without public acknowledgment.<\/p>\n<p>Researchers verified that the patch implemented an\u00a0escapeHTML\u00a0function to sanitize input properly, neutralizing the attack vector.<\/p>\n<p>Developers are strongly advised to\u00a0update to the latest version\u00a0immediately to prevent potential exploitation.<\/p>\n<p>Systems running outdated versions of Live Preview are at risk of data exposure, especially if the extension remains active while <a href=\"https:\/\/cybersecuritynews.com\/critical-apache-http-server-vulnerabilities\/\" target=\"_blank\" rel=\"noreferrer noopener\">browsing untrusted websites.<\/a><\/p>\n<h2 class=\"wp-block-heading\" id=\"h-exploitation-scenario\"><strong>Exploitation Scenario<\/strong><\/h2>\n<p>The attack requires minimal user interaction. When a developer has Live Preview running, visiting a compromised or malicious webpage could automatically trigger requests to the local Live Preview server (typically hosted on\u00a0localhost:3000).<\/p>\n<p>This would grant the attacker access to internal paths and allow JavaScript-based payloads to silently extract configuration files.<\/p>\n<p><strong>To reduce exposure:<\/strong><\/p>\n<figure class=\"wp-block-table is-style-stripes\">\n<table class=\"has-fixed-layout\">\n<thead>\n<tr>\n<th>Recommendation<\/th>\n<th>Action<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td><strong>Update Software<\/strong><\/td>\n<td>Upgrade Live Preview to version 0.4.16 or later<\/td>\n<\/tr>\n<tr>\n<td><strong>Disable Extensions<\/strong><\/td>\n<td>Remove or disable unused IDE extensions<\/td>\n<\/tr>\n<tr>\n<td><strong>Restrict Services<\/strong><\/td>\n<td>Use a firewall to limit access to local development services<\/td>\n<\/tr>\n<tr>\n<td><strong>Disable Localhost Services<\/strong><\/td>\n<td>Turn off localhost-based services when not in use<\/td>\n<\/tr>\n<tr>\n<td><strong>Routine Updates<\/strong><\/td>\n<td>Regularly apply updates across all development tools<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<p>Given the widespread use of <a href=\"https:\/\/cybersecuritynews.com\/threat-actors-may-abuse-vs-code-extensions\/\" target=\"_blank\" rel=\"noreferrer noopener\">VS Code in software development<\/a>, this finding underscores the importance of\u00a0securing developer environments\u00a0and minimizing unnecessary local exposure during testing.<\/p>\n<p class=\"has-text-align-center has-background\" style=\"background:linear-gradient(180deg,rgb(238,238,238) 94%,rgb(169,184,195) 100%)\"><strong>Follow us on <a href=\"https:\/\/news.google.com\/publications\/CAAqMggKIixDQklTR3dnTWFoY0tGV041WW1WeWMyVmpkWEpwZEhsdVpYZHpMbU52YlNnQVAB?hl=en-IN&amp;gl=IN&amp;ceid=IN:en\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Google News<\/a>, <a href=\"https:\/\/www.linkedin.com\/company\/cybersecurity-news\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">LinkedIn<\/a>, and <a href=\"https:\/\/x.com\/cyber_press_org\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">X<\/a> for daily cybersecurity updates. <a href=\"https:\/\/cybersecuritynews.com\/contact-us\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Contact us<\/a> to feature your stories.<\/strong><\/p>\n<p>The post <a href=\"https:\/\/cybersecuritynews.com\/microsoft-vs-code-extension-11m-downloads\/\">Microsoft VS Code Extension with 11M Downloads Expose Developers to One-Click XSS Attacks<\/a> appeared first on <a href=\"https:\/\/cybersecuritynews.com\/\">Cyber Security News<\/a>.<\/p>\n<\/div>\n<p> \t<BR><br \/>\n <BR><\/BR><br \/>\n    Abinaya<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n<a href=\"https:\/\/cybersecuritynews.com\/microsoft-vs-code-extension-11m-downloads\/\">Go to cyber-security-news<\/a><br \/>\n \t<BR><br \/>\n <BR><\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Microsoft VS Code Extension with 11M Downloads Expose Developers to One-Click XSS Attacks A critical vulnerability discovered in Microsoft\u2019s popular\u00a0Visual Studio Code (VS Code) Live Preview\u00a0extension, downloaded over 11 million times, exposes developers to\u00a0one-click cross-site scripting (XSS)\u00a0and\u00a0local file exfiltration attacks. The flaw, now patched, was discovered by researchers\u00a0Nir Zadok\u00a0and\u00a0Moshe Siman Tov Bustan\u00a0from\u00a0OX Security. The issue [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[129,63,158,648],"tags":[130],"class_list":["post-10741","post","type-post","status-publish","format-standard","hentry","category-cyber-security","category-cyber-security-news","category-microsoft","category-vulnerability-news","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/10741"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=10741"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/10741\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=10741"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=10741"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=10741"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}