{"id":"CVE-2025-26646","details":"External control of file name or path in .NET, Visual Studio, and Build Tools for Visual Studio allows an authorized attacker to perform spoofing over a network.","aliases":["BIT-dotnet-2025-26646","BIT-dotnet-sdk-2025-26646","GHSA-h4j7-5rxr-p4wc"],"modified":"2026-04-10T05:23:38.270852Z","published":"2025-05-13T22:15:20.493Z","related":["ALSA-2025:7571","ALSA-2025:7589","ALSA-2025:7598","ALSA-2025:7599","ALSA-2025:7600","ALSA-2025:7601","CGA-74x8-73vw-g4mg"],"references":[{"type":"ADVISORY","url":"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-26646"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/dotnet/core","events":[{"introduced":"e18becd6171b8eb0eb4ec7ea8a0280cacfcee36b"},{"fixed":"7373846c08edcf04cbb546521eba3bb5b2fdcb86"},{"introduced":"d78b3180414d35d6c7d136db753474e2ae2b33df"},{"fixed":"7373846c08edcf04cbb546521eba3bb5b2fdcb86"}],"database_specific":{"versions":[{"introduced":"9.0.0"},{"fixed":"9.0.5"},{"introduced":"8.0.0"},{"fixed":"8.0.16"}]}}],"versions":["v10.0.0-preview.1","v10.0.0-preview.2","v10.0.0-preview.3","v10.0.0-preview.4","v6.0.36","v8.0.11","v8.0.12","v8.0.13","v8.0.14","v8.0.15","v9.0.0","v9.0.1","v9.0.2","v9.0.3","v9.0.4"],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"fixed":"17.13.7"}]},{"events":[{"introduced":"17.8.0"},{"fixed":"17.8.21"}]},{"events":[{"introduced":"17.10.0"},{"fixed":"17.10.15"}]},{"events":[{"introduced":"17.12.0"},{"fixed":"17.12.8"}]},{"events":[{"introduced":"17.13.0"},{"fixed":"17.13.7"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-26646.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"}]}