VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-nr9v-1gex-e3dn

Essentials
Severities (18)
References (18)
Severity details (15)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-nr9v-1gex-e3dn
Aliases	CVE-2025-30399 GHSA-266m-wp2v-x7mq
Summary	Untrusted search path in .NET and Visual Studio allows an unauthorized attacker to execute code over a network.
Status	Published
Exploitability	0.5
Weighted Severity	8.0
Risk	4.0
Affected and Fixed Packages	Package Details

Weaknesses (4)

CWE-426	Untrusted Search Path
CWE-427	Uncontrolled Search Path Element
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
cvssv3	7.5	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-30399.json
epss	0.00206	https://api.first.org/data/v1/epss?cve=CVE-2025-30399
epss	0.00206	https://api.first.org/data/v1/epss?cve=CVE-2025-30399
epss	0.00206	https://api.first.org/data/v1/epss?cve=CVE-2025-30399
cvssv3.1	7.5	https://github.com/dotnet/runtime
generic_textual	HIGH	https://github.com/dotnet/runtime
cvssv3.1	7.5	https://github.com/dotnet/runtime/issues/116495
generic_textual	HIGH	https://github.com/dotnet/runtime/issues/116495
cvssv3.1	7.5	https://github.com/dotnet/runtime/security/advisories/GHSA-266m-wp2v-x7mq
generic_textual	HIGH	https://github.com/dotnet/runtime/security/advisories/GHSA-266m-wp2v-x7mq
cvssv3.1	7.5	https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-30399
cvssv3.1	7.5	https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-30399
generic_textual	HIGH	https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-30399
ssvc	Track	https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-30399
cvssv3.1	7.5	https://nvd.nist.gov/vuln/detail/CVE-2025-30399
generic_textual	HIGH	https://nvd.nist.gov/vuln/detail/CVE-2025-30399
cvssv3.1	7.5	https://www.cve.org/CVERecord?id=CVE-2025-30399
generic_textual	HIGH	https://www.cve.org/CVERecord?id=CVE-2025-30399

Reference id	Reference type	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-30399.json
		https://api.first.org/data/v1/epss?cve=CVE-2025-30399
		https://github.com/dotnet/runtime
		https://github.com/dotnet/runtime/issues/116495
		https://github.com/dotnet/runtime/security/advisories/GHSA-266m-wp2v-x7mq
		https://nvd.nist.gov/vuln/detail/CVE-2025-30399
		https://www.cve.org/CVERecord?id=CVE-2025-30399
2369701		https://bugzilla.redhat.com/show_bug.cgi?id=2369701
CVE-2025-30399		https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-30399
GHSA-266m-wp2v-x7mq		https://github.com/advisories/GHSA-266m-wp2v-x7mq
RHSA-2025:8812		https://access.redhat.com/errata/RHSA-2025:8812
RHSA-2025:8813		https://access.redhat.com/errata/RHSA-2025:8813
RHSA-2025:8814		https://access.redhat.com/errata/RHSA-2025:8814
RHSA-2025:8815		https://access.redhat.com/errata/RHSA-2025:8815
RHSA-2025:8816		https://access.redhat.com/errata/RHSA-2025:8816
RHSA-2025:8817		https://access.redhat.com/errata/RHSA-2025:8817
RHSA-2025:9066		https://access.redhat.com/errata/RHSA-2025:9066
USN-7563-1		https://usn.ubuntu.com/7563-1/

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-30399.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://github.com/dotnet/runtime

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://github.com/dotnet/runtime/issues/116495

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://github.com/dotnet/runtime/security/advisories/GHSA-266m-wp2v-x7mq

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Found at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-30399

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-30399

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-06-13T15:46:01Z/ Found at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-30399

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2025-30399

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://www.cve.org/CVERecord?id=CVE-2025-30399

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.42896
EPSS Score	0.00206
Published At	June 11, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-06-11T16:57:10.796069+00:00	Vulnrichment	Import	https://github.com/cisagov/vulnrichment/blob/develop/2025/30xxx/CVE-2025-30399.json	38.6.0