High severity8.0NVD Advisory· Published May 13, 2025· Updated Jun 17, 2026
CVE-2025-26646
CVE-2025-26646
Description
External control of file name or path in .NET, Visual Studio, and Build Tools for Visual Studio allows an authorized attacker to perform spoofing over a network.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
Microsoft.Build.Tasks.CoreNuGet | >= 15.8.166, < 15.9.30 | 15.9.30 |
Microsoft.Build.Tasks.CoreNuGet | >= 16.0.461, < 16.11.6 | 16.11.6 |
Microsoft.Build.Tasks.CoreNuGet | >= 17.0.0, < 17.8.29 | 17.8.29 |
Microsoft.Build.Tasks.CoreNuGet | >= 17.9.5, < 17.10.29 | 17.10.29 |
Microsoft.Build.Tasks.CoreNuGet | >= 17.11.4, < 17.12.36 | 17.12.36 |
Microsoft.Build.Tasks.CoreNuGet | >= 17.12.6, < 17.13.26 | 17.13.26 |
Microsoft.Build.Tasks.CoreNuGet | >= 17.13.9, < 17.14.8 | 17.14.8 |
Affected products
82- osv-coords75 versionspkg:apk/chainguard/aspnet-8-runtimepkg:apk/chainguard/aspnet-8-runtime-defaultpkg:apk/chainguard/aspnet-8-targeting-packpkg:apk/chainguard/aspnet-9-runtimepkg:apk/chainguard/aspnet-9-runtime-defaultpkg:apk/chainguard/aspnet-9-targeting-packpkg:apk/chainguard/dotnet-8pkg:apk/chainguard/dotnet-8-runtimepkg:apk/chainguard/dotnet-8-runtime-defaultpkg:apk/chainguard/dotnet-8-sdkpkg:apk/chainguard/dotnet-8-sdk-defaultpkg:apk/chainguard/dotnet-8-targeting-packpkg:apk/chainguard/dotnet-9pkg:apk/chainguard/dotnet-9-aotpkg:apk/chainguard/dotnet-9-runtimepkg:apk/chainguard/dotnet-9-runtime-defaultpkg:apk/chainguard/dotnet-9-sdkpkg:apk/chainguard/dotnet-9-sdk-defaultpkg:apk/chainguard/dotnet-9-targeting-packpkg:apk/chainguard/dotnet-bootstrap-8pkg:apk/chainguard/netstandard-8-targeting-packpkg:apk/chainguard/netstandard-9-targeting-packpkg:apk/wolfi/aspnet-8-runtimepkg:apk/wolfi/aspnet-8-runtime-defaultpkg:apk/wolfi/aspnet-8-targeting-packpkg:apk/wolfi/aspnet-9-runtimepkg:apk/wolfi/aspnet-9-runtime-defaultpkg:apk/wolfi/aspnet-9-targeting-packpkg:apk/wolfi/dotnet-8pkg:apk/wolfi/dotnet-8-runtimepkg:apk/wolfi/dotnet-8-runtime-defaultpkg:apk/wolfi/dotnet-8-sdkpkg:apk/wolfi/dotnet-8-sdk-defaultpkg:apk/wolfi/dotnet-8-targeting-packpkg:apk/wolfi/dotnet-9pkg:apk/wolfi/dotnet-9-aotpkg:apk/wolfi/dotnet-9-runtimepkg:apk/wolfi/dotnet-9-runtime-defaultpkg:apk/wolfi/dotnet-9-sdkpkg:apk/wolfi/dotnet-9-sdk-defaultpkg:apk/wolfi/dotnet-9-targeting-packpkg:apk/wolfi/dotnet-bootstrap-8pkg:apk/wolfi/netstandard-8-targeting-packpkg:apk/wolfi/netstandard-9-targeting-packpkg:bitnami/dotnetpkg:bitnami/dotnet-sdkpkg:nuget/microsoft.build.tasks.corepkg:rpm/almalinux/aspnetcore-runtime-8.0pkg:rpm/almalinux/aspnetcore-runtime-9.0pkg:rpm/almalinux/aspnetcore-runtime-dbg-8.0pkg:rpm/almalinux/aspnetcore-runtime-dbg-9.0pkg:rpm/almalinux/aspnetcore-targeting-pack-8.0pkg:rpm/almalinux/aspnetcore-targeting-pack-9.0pkg:rpm/almalinux/dotnetpkg:rpm/almalinux/dotnet-apphost-pack-8.0pkg:rpm/almalinux/dotnet-apphost-pack-9.0pkg:rpm/almalinux/dotnet-hostpkg:rpm/almalinux/dotnet-hostfxr-8.0pkg:rpm/almalinux/dotnet-hostfxr-9.0pkg:rpm/almalinux/dotnet-runtime-8.0pkg:rpm/almalinux/dotnet-runtime-9.0pkg:rpm/almalinux/dotnet-runtime-dbg-8.0pkg:rpm/almalinux/dotnet-runtime-dbg-9.0pkg:rpm/almalinux/dotnet-sdk-8.0pkg:rpm/almalinux/dotnet-sdk-8.0-source-built-artifactspkg:rpm/almalinux/dotnet-sdk-9.0pkg:rpm/almalinux/dotnet-sdk-9.0-source-built-artifactspkg:rpm/almalinux/dotnet-sdk-aot-9.0pkg:rpm/almalinux/dotnet-sdk-dbg-8.0pkg:rpm/almalinux/dotnet-sdk-dbg-9.0pkg:rpm/almalinux/dotnet-targeting-pack-8.0pkg:rpm/almalinux/dotnet-targeting-pack-9.0pkg:rpm/almalinux/dotnet-templates-8.0pkg:rpm/almalinux/dotnet-templates-9.0pkg:rpm/almalinux/netstandard-targeting-pack-2.1
< 0+ 74 more
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 8.0.122-r0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 8.0.122-r0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: >= 8.0.0, < 8.0.16
- (no CPE)range: >= 8.0.0, < 8.0.101
- (no CPE)range: >= 15.8.166, < 15.9.30
- (no CPE)range: < 8.0.16-1.el8_10
- (no CPE)range: < 9.0.5-1.el8_10
- (no CPE)range: < 8.0.16-1.el8_10
- (no CPE)range: < 9.0.5-1.el8_10
- (no CPE)range: < 8.0.16-1.el8_10
- (no CPE)range: < 9.0.5-1.el8_10
- (no CPE)range: < 9.0.106-1.el8_10
- (no CPE)range: < 8.0.16-1.el8_10
- (no CPE)range: < 9.0.5-1.el8_10
- (no CPE)range: < 9.0.5-1.el8_10
- (no CPE)range: < 8.0.16-1.el8_10
- (no CPE)range: < 9.0.5-1.el8_10
- (no CPE)range: < 8.0.16-1.el8_10
- (no CPE)range: < 9.0.5-1.el8_10
- (no CPE)range: < 8.0.16-1.el8_10
- (no CPE)range: < 9.0.5-1.el8_10
- (no CPE)range: < 8.0.116-1.el8_10
- (no CPE)range: < 8.0.116-1.el8_10
- (no CPE)range: < 9.0.106-1.el8_10
- (no CPE)range: < 9.0.106-1.el8_10
- (no CPE)range: < 9.0.106-1.el8_10
- (no CPE)range: < 8.0.116-1.el8_10
- (no CPE)range: < 9.0.106-1.el8_10
- (no CPE)range: < 8.0.16-1.el8_10
- (no CPE)range: < 9.0.5-1.el8_10
- (no CPE)range: < 8.0.116-1.el8_10
- (no CPE)range: < 9.0.106-1.el8_10
- (no CPE)range: < 9.0.106-1.el8_10
- Range: 17.0
- Microsoft/Microsoft Visual Studio 2022 version 17.10v5Range: 17.10.0
- Microsoft/Microsoft Visual Studio 2022 version 17.12v5Range: 17.12.0
- Microsoft/Microsoft Visual Studio 2022 version 17.13v5Range: 17.13.0
- Microsoft/Microsoft Visual Studio 2022 version 17.8v5Range: 17.8.0
- Microsoft/.NET 8.0v5Range: 8.0.0
- Microsoft/.NET 9.0v5Range: 9.0.0
Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-h4j7-5rxr-p4wcghsaADVISORY
- msrc.microsoft.com/update-guide/vulnerability/CVE-2025-26646nvdVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2025-26646ghsaADVISORY
- github.com/dotnet/announcements/issues/356ghsaWEB
- github.com/dotnet/msbuild/issues/11846ghsaWEB
- github.com/dotnet/msbuild/security/advisories/GHSA-h4j7-5rxr-p4wcghsaWEB
News mentions
0No linked articles in our index yet.