CVE-2026-25046 [Kimi VS Code] Command Injection in publish scripts vsix-publish.js and ovsx-publish.js

Kimi Agent SDK is a set of libraries that expose the Kimi Code Kimi CLI agent runtime in applications. The vsix-publish.js and ovsx-publish.js scripts pass filenames to execSync as shell command strings. Prior to version 0.1.6, filenames containing shell metacharacters like $cmd could execute...

Visual Studio Code Execution

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Visual Studio vsix Extension Exec', 'Description' = %q Creates a vsix file which can be installed in Visual Studio Code as an extension. At...

Researchers Uncover Publisher Spoofing Bug in Microsoft Visual Studio Installer

Security researchers have warned about an "easily exploitable" flaw in the Microsoft Visual Studio installer that could be abused by a malicious actor to impersonate a legitimate publisher and distribute malicious extensions. "A threat actor could impersonate a popular publisher and issue a...

Microsoft Visual Studio VSIX Auto Update Deserialization of Untrusted Data Privilege Escalation Vulnerability

This vulnerability allows local attackers to escalate privileges on affected installations of Microsoft Visual Studio. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the VSIX Aut...