CVSS: 7.6EPSS: 0%CPEs: 6EXPL: 0CVE-2025-30399 – .NET and Visual Studio Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2025-30399
11 Jun 2025 — Untrusted search path in .NET and Visual Studio allows an unauthorized attacker to execute code over a network. A remote code execution vulnerability in .NET 8.0 and 9.0. An attacker who can place malicious files in specific locations may trigger unintended code execution when the .NET runtime loads these files. It was discovered that .NET did not properly validate search path in Microsoft.NETCore.App.Runtime. An attacker could possibly use this issue to execute arbitrary code. • https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-30399 • CWE-426: Untrusted Search Path CWE-427: Uncontrolled Search Path Element •
CVSS: 9.0EPSS: 0%CPEs: 6EXPL: 0CVE-2025-26646 – .NET, Visual Studio, and Build Tools for Visual Studio Spoofing Vulnerability
https://notcve.org/view.php?id=CVE-2025-26646
13 May 2025 — External control of file name or path in .NET, Visual Studio, and Build Tools for Visual Studio allows an authorized attacker to perform spoofing over a network. A flaw was found in .NET and Visual Studio. This vulnerability allows an attacker to use specially crafted input to spoof trusted content or identities, potentially misleading users or systems. This issue requires user interaction and limited privileges but can lead to unauthorized actions or escalation due to incorrect identity or content validati... • https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-26646 • CWE-73: External Control of File Name or Path CWE-290: Authentication Bypass by Spoofing •
CVSS: 7.6EPSS: 0%CPEs: 9EXPL: 0CVE-2025-21172 – .NET and Visual Studio Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2025-21172
14 Jan 2025 — .NET and Visual Studio Remote Code Execution Vulnerability A remote code execution vulnerability was found in .NET. This flaw allows an attacker to load a specially crafted file in .NET. It was discovered that .NET did not properly handle input provided to its Convert.TryToHexString method. An attacker could possibly use this issue to execute arbitrary code. It was discovered that .NET did not properly handle an integer overflow when processing certain specially crafted files. • https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21172 • CWE-122: Heap-based Buffer Overflow CWE-190: Integer Overflow or Wraparound •
CVSS: 7.3EPSS: 1%CPEs: 6EXPL: 0CVE-2025-21173 – .NET Elevation of Privilege Vulnerability
https://notcve.org/view.php?id=CVE-2025-21173
14 Jan 2025 — .NET Elevation of Privilege Vulnerability An elevation of privilege vulnerability was found in .NET. This flaw allows an attacker to write a specially crafted file in the security context of the local system. It was discovered that .NET did not properly handle input provided to its Convert.TryToHexString method. An attacker could possibly use this issue to execute arbitrary code. It was discovered that .NET did not properly handle an integer overflow when processing certain specially crafted files. • https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21173 • CWE-379: Creation of Temporary File in Directory with Insecure Permissions •
CVSS: 10.0EPSS: 0%CPEs: 17EXPL: 0CVE-2025-21176 – .NET, .NET Framework, and Visual Studio Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2025-21176
14 Jan 2025 — .NET, .NET Framework, and Visual Studio Remote Code Execution Vulnerability A remote code execution vulnerability was found in .NET. This flaw allows an attacker to load a specially crafted file in .NET. It was discovered that .NET did not properly handle input provided to its Convert.TryToHexString method. An attacker could possibly use this issue to execute arbitrary code. It was discovered that .NET did not properly handle an integer overflow when processing certain specially crafted files. • https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21176 • CWE-126: Buffer Over-read •
CVSS: 7.8EPSS: 0%CPEs: 9EXPL: 0CVE-2024-43485 – .NET and Visual Studio Denial of Service Vulnerability
https://notcve.org/view.php?id=CVE-2024-43485
08 Oct 2024 — .NET and Visual Studio Denial of Service Vulnerability A flaw was found in dotnet. In System.Text.Json, applications that deserialize input to a model with an [ExtensionData] property can be vulnerable to an algorithmic complexity attack, resulting in a denial of service. Brennan Conroy discovered that the .NET Kestrel web server did not properly handle closing HTTP/3 streams under certain circumstances. An attacker could possibly use this issue to achieve remote code execution. This vulnerability only impa... • https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-43485 • CWE-407: Inefficient Algorithmic Complexity •
CVSS: 7.8EPSS: 0%CPEs: 19EXPL: 0CVE-2024-43484 – .NET, .NET Framework, and Visual Studio Denial of Service Vulnerability
https://notcve.org/view.php?id=CVE-2024-43484
08 Oct 2024 — .NET, .NET Framework, and Visual Studio Denial of Service Vulnerability A flaw was found in dotnet. The System.IO.Packaging library may allow untrusted inputs to influence algorithmically complex operations, resulting in a denial of service. Brennan Conroy discovered that the .NET Kestrel web server did not properly handle closing HTTP/3 streams under certain circumstances. An attacker could possibly use this issue to achieve remote code execution. This vulnerability only impacted Ubuntu 22.04 LTS and Ubunt... • https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-43484 • CWE-407: Inefficient Algorithmic Complexity CWE-789: Memory Allocation with Excessive Size Value •
CVSS: 7.8EPSS: 0%CPEs: 19EXPL: 0CVE-2024-43483 – .NET, .NET Framework, and Visual Studio Denial of Service Vulnerability
https://notcve.org/view.php?id=CVE-2024-43483
08 Oct 2024 — .NET, .NET Framework, and Visual Studio Denial of Service Vulnerability A flaw was found in dotnet. The System.Security.Cryptography.Cose, System.IO.Packaging and System.Runtime.Caching components may be exposed to hostile input, making them susceptible to hash flooding attacks, resulting in denial of service. Brennan Conroy discovered that the .NET Kestrel web server did not properly handle closing HTTP/3 streams under certain circumstances. An attacker could possibly use this issue to achieve remote code ... • https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-43483 • CWE-407: Inefficient Algorithmic Complexity •
CVSS: 8.1EPSS: 0%CPEs: 5EXPL: 0CVE-2024-38229 – .NET and Visual Studio Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2024-38229
08 Oct 2024 — .NET and Visual Studio Remote Code Execution Vulnerability A flaw was found in dotnet. When closing an HTTP/3 stream while application code is writing to the response body, a race condition can cause a use-after-free. Brennan Conroy discovered that the .NET Kestrel web server did not properly handle closing HTTP/3 streams under certain circumstances. An attacker could possibly use this issue to achieve remote code execution. This vulnerability only impacted Ubuntu 22.04 LTS and Ubuntu 24.04 LTS. • https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38229 • CWE-416: Use After Free •
CVSS: 7.8EPSS: 1%CPEs: 4EXPL: 0CVE-2024-38168 – .NET and Visual Studio Denial of Service Vulnerability
https://notcve.org/view.php?id=CVE-2024-38168
13 Aug 2024 — .NET and Visual Studio Denial of Service Vulnerability • https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38168 • CWE-400: Uncontrolled Resource Consumption •