CVE-2026-41613

Daily digests

A session fixation bug in Visual Studio Code lets an unauthenticated attacker escalate privileges over the network. CVSS 8.8. Practically, an attacker could fix a session token and trick a developer into using it, then hijack their VS Code session. This likely requires some social engineering or network positioning to pull off.

• Patch Tuesday · May 13, 2026

  Patch Tuesday May 2026: DNS + Netlogon at 9.8, 19 more