CVE-2025-26646

HIGH8.0EPSS 0.10%

.NET, Visual Studio, and Build Tools for Visual Studio Spoofing Vulnerability

Published: 5/13/2025Modified: 7/11/2025

Also known as:GHSA-h4j7-5rxr-p4wcBIT-dotnet-2025-26646BIT-dotnet-sdk-2025-26646

Description

External control of file name or path in .NET, Visual Studio, and Build Tools for Visual Studio allows an authorized attacker to perform spoofing over a network.

Affected packages (3)

Bitnami/dotnet>= 8.0.0, < 8.0.16, >= 9.0.0, < 9.0.5
Bitnami/dotnet-sdk>= 8.0.0, < 8.0.101, >= 9.0.0, < 9.0.100
NuGet/Microsoft.Build.Tasks.Core>= 15.8.166, < 15.9.30

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.0	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

References (6)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-26646
PATCHhttps://github.com/dotnet/msbuild
WEBhttps://github.com/dotnet/announcements/issues/356
WEBhttps://github.com/dotnet/msbuild/issues/11846
WEBhttps://github.com/dotnet/msbuild/security/advisories/GHSA-h4j7-5rxr-p4wc
WEBhttps://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-26646